[Freeipa-users] pam_sss account Access denied (permission denied)

I've been struggling with this all day and I'm getting nowhere. We're wanting to migrate from a 389-DS authenticated network to FreeIPA. We have a few Linux servers scattered around the world that authenticate against our current 389 directory and we're wanting to do this with minimal changes to these servers. The thought process is to perform LDAP auth against FreeIPA and filter access permissions by way of an LDAP access filter based on group membership as we are currently doing with 389, so we just need to make config changes to sssd to point to the new servers (and install the required certificate to do so). FreeIPA servers are already setup and replicating. Set up a couple of test groups and a handful of test user accounts. I can successfully authenticate these users, but I get a permission denied seemingly at the access filter stage. Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.66.67.69 user=markj Oct 27 04:15:09 autugd6998 sshd[9984]: pam_sss(sshd:account): Access denied for user markj: 6 (Permission denied) Same result for a console login. To test this, I changed the access_provider to 'permit' and I can successfully log in to the server. So, it's as if I'm having issues with my access filter, but everything I've tried is giving me the same result. I've used these same filters in ldapsearch tests and they seem to work fine. For instance, I've created a group called "serveradmins" and placed a couple of users in that group. My sssd.conf ldap_access_filter looks like this: access_provider = ldap ldap_access_filter = memberOf=cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com But that just isn't working. However, if I issue the following, I can see the group members: $ ldapsearch -x -W -LLL -H ldap://ussv4p6004.ipa.domain.com -b cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com -D "uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com" Enter LDAP Password: dn: cn=serveradmins,cn=groups,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=mark,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com member: uid=markj,cn=users,cn=accounts,dc=ipa,dc=domain,dc=com cn: serveradmins objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject ipaUniqueID: 2e489422-36c2-11ec-a8a8-52540031af07 I've tried different groups including the default 'ipausers' group which everyone is a member of but I'm getting nowhere. For the record, here's a snippet from the server audit.log when I fail to login. Not sure if that "PAM:accounting grantors=?" bit where the USER_ACCT fails is indicative of the problem or not but if so, I'm not sure what that means and how to resolve it. However, the same server works on the old 389 directory using LDAP auth - just have no idea what I'm missing. type=USER_AUTH msg=audit(1635321247.300:1039): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.664:1040): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_succeed_if,pam_sss acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=success' type=USER_ACCT msg=audit(1635321252.855:1041): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="markj" exe="/usr/sbin/sshd" hostname=10.66.67.69 addr=10.66.67.69 terminal=ssh res=failed' type=USER_AUTH msg=audit(1635321252.856:1042): pid=10122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="markj" exe="/usr/sbin/sshd" hostname=? addr=10.66.67.69 terminal=ssh res=failed'