Web lists-archives.com

Debian server integrated with AD - can only see one group for some users


Strange issue here. I have set up AD integration on a couple of new servers, using realmd / sssd, and am using AllowGroups in sshd_config to control access to the server.

This is working for users in my team. However, a newly created user in AD was unable to log in. Looking in auth.log, I see “user name@domain from ipaddress not allowed because none of user's groups are listed in AllowGroups”, yet the user is a member of a listed group.

I have tried using the groups command for the users, and found that for those who can log in, the full list of AD groups is returned. For the new user and several others, however, the only group returned is “domain users@domain”.

I suspect that this is a permissions issue in Active Directory, but am not sure what to look for and will talk to our AD admins, but any advice would be welcome.