Original test:
Using AD user, got "invalid user or password" loop upon entering "d3"
Using local user in /etc/password it worked
Findings:
By default, AD integrated with PAM uses Windows GPO policies ( like local users, blah blah )
When you SSH and log into Linux, you are being authenticated with a token to AD, the user is run through the PAM SSHD module ( identical to D3 module )
When you enter "d3" at the bash shell to get into D3, it does a query against a different PAM module called d3 ( identical to sshd ). That PAM module ( d3 ) is not authorized to run PAM authentication. Consequently, it cannot query active directory with a token.
Solution:
Add this line to /etc/sssd/sssd.conf:
ad_gpo_map_interactive = +d3
You'll then need to reboot D3 and maybe Linux as well.
------------------------------
Brian S. Cram
Principal Technical Support Engineer
Rocket Software
------------------------------
