I have a number of servers running Ubuntu 20.04 LTS joined to Windows Active Directory via this procedure - https://www.server-world.info/en/note?os=Ubuntu_20.04&p=realmd
Over this weekend, I ran a round of updates that included upgrading the sssd package from version 2.2.3-3ubuntu0.4 to 2.2.3-3ubuntu0.6, and after that update, none of the AD users were able to log on. The following was recorded on /var/log/auth.log:
Jul 18 05:43:00 server sshd[88633]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.187.1 user=aduser
Jul 18 05:43:00 server sshd[88633]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.187.1 user=aduser
Jul 18 05:43:00 server sshd[88633]: pam_sss(sshd:account): Access denied for user aduser: 6 (Permission denied)
Jul 18 05:43:00 server sshd[88633]: Failed password for aduser from 192.168.187.1 port 53472 ssh2
Jul 18 05:43:00 server sshd[88633]: fatal: Access denied for user aduser by PAM account configuration [preauth]
Downgrading the whole suite to version 2.2.3-3ubuntu0.1 (2.2.3-3ubuntu0.4 was not available) resolved the problem for the meanwhile, but I'm fairly certain that it will come back if I don't do something about it. Where should I look to determine the root cause of these PAM failures?
Edit: Found this - https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1934997 - the referenced workaround (ad_gpo_access_control = permissive in /etc/sssd/sssd.conf) resolves the problem.
