No good ideas in the absence of logs.

Keep in mind the user access filter is applied atop the user entry itself. The only thing I can think of is if the sssd was contacting the GC instead of the LDAP port, maybe the search filter then doesn't work because it is hitting some domain-local groups in the middle of the group membership tree? Disabling the GC temporarily for a test (ad_enable_gc=false) might be a good thing to at least try.

In general for restricting group memberships especally given nested groups the simple access provider is a better choice. There is one problem though -- in case you bypass the PAM stack during authentication (e.g. if you authenticate with a ssh key) then the simple access provider does not check account expiration, the LDAP/AD access providers do.

Hi Jakub,

I've disabled GC and the same result, not able to login.

I've attached all the logs with lvl 9 enabled. Please take a look over them when you have the time/energy.

I need the AD provider to work as it worked in the 1.15.2.
The simple provider is very tempting but until the account expiration is supported I cannot use it.

Thank you!

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4889

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.