I've been working on getting a linux server built for our devs that is joined to our Active Directory Server. Using a combination of Realm and SSSD I have SSH working fine with all users, but trying to remote desktop in to xrdp is failing with a
Nov 7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=ricktbaker
Nov 7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=ricktbaker
Nov 7 04:54:49 ip-10-10-100-177 xrdp-sesman: pam_sss(xrdp-sesman:account): Access denied for user ricktbaker: 6 (Permission denied)
My /etc/sssd/sssd.conf
[sssd]
domains = my.domain.com
config_file_version = 2
services = nss, pam
[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = MY.DOMAIN.COM
realmd_tags = joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
simple_allow_users = $
access_provider = ad
I've tried switching access_provider to simple, but then I can't ssh either. Not quite sure what I'm missing, but will provide any logs or info that might help.
---- EDIT -----
Adding the following line to the domain portion of sssd.conf seems to fix it, but I'm not sure if this the proper fix:
ad_gpo_access_control = permissive
After running this setup for well over a year, the fix I had mentioned in my original question definitely works. So adding as an official answer. Just needed the following in my /etc/sssd/sssd.conf
ad_gpo_access_control = permissive
Also have a blog post about it:
http://ricktbaker.com/2017/11/08/ubuntu-16-with-active-directory-connectivity/