On 02 Dec 2015, at 21:42, Eric Biggers ebiggers@fedoraproject.org wrote:
The apparent change in ad_gpo_access_control in sssd-1.13.2 in Fedora 22 broke my setup as well --- although for me it was a "permission denied" failure in the "account" PAM module which only occurred when logging in with xscreensaver (not when logging in at a virtual console).
Is this possibly an SSSD bug, or is it a broken AD setup?
Probably a bug in SSSD. Please see tickets https://fedorahosted.org/sssd/ticket/2891 and https://fedorahosted.org/sssd/ticket/2889.
We need the sssd logs, including the domain log and the gpo_child.log
Ticket #2891 includes a workaround.