Hi Expert,

1. Environment
   1. Windows Server 2012 R2 Active Directory.
   2. sudoRule schema extended
   3. CentOS 7.3 (1611) Client, joined to domain by using realm
   4. selinux -> permissive
      
2. Configuration file
   1. sssd.conf
      
      [sssd]

      domains = mydomain.com

      config_file_version = 2

      services = nss, pam, sudo

      
      

      [domain/mydomain.com]

      ad_domain = mydomain.com

      krb5_realm = MYDOMAIN.COM

      realmd_tags = manages-system joined-with-samba

      cache_credentials = True

      id_provider = ad

      krb5_store_password_if_offline = True

      default_shell = /bin/bash

      ldap_id_mapping = True

      use_fully_qualified_names = True

      fallback_homedir = /home/%u@%d

      access_provider = ad

      ad_gpo_access_control = enforcing

      
      
      
      
   2. smb.conf
      
      [global]

          workgroup = SAMBA

          security = user

      
      

          passdb backend = tdbsam

      
      

          printing = cups

          printcap name = cups

          load printers = yes

          cups options = raw

      
      

      [homes]

          comment = Home Directories

          valid users = %S, %D%w%S

          browseable = No

          read only = No

          inherit acls = Yes

      
      

      [printers]

          comment = All Printers

          path = /var/tmp

          printable = Yes

          create mask = 0600

          browseable = No

      
      

      [print$]

          comment = Printer Drivers

          path = /var/lib/samba/drivers

          write list = root

          create mask = 0664

          directory mask = 0775

      
      
      
      
   3. nsswitch.conf
      
      passwd: files sss

      shadow: files sss

      group: files sss

      hosts: files dns myhostname

      bootparams: nisplus [NOTFOUND=return] files

      ethers: files

      netmasks: files

      networks: files

      protocols: files

      rpc: files

      services: files sss

      netgroup: files sss

      publickey: nisplus

      automount: files sss

      aliases: files nisplus

      sudoers: files sss

      
      
      
      
3. problem description
   1. after joining the CentOS7 to Active Directory domain , it's not stable that a domain user logon to the machina via ssh.
   2. /var/log/secure show
      
      Jul 10 17:37:47 MyIssueMachine sshd[42400]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.15 user=MyUser@mydomain.com
      Jul 10 17:37:47 MyIssueMachine sshd[42400]: pam_sss(sshd:account): Access denied for user MyUser@mydomain.com: 4 (System error)
      Jul 10 17:37:47 MyIssueMachine sshd[42400]: Failed password for MyUser@mydomain.com from 192.168.150.15 port 51594 ssh2
      Jul 10 17:37:47 MyIssueMachine sshd[42400]: fatal: Access denied for user MyUser@mydomain.com by PAM account configuration [preauth]
   3. /var/log/sssd/sssd_pam.log
      

      (Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][mydomain.com]
      (Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
      (Mon Jul 10 16:02:24 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 30
      (Mon Jul 10 16:02:24 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7fe3abac60a0][23]
      (Mon Jul 10 16:02:24 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7fe3abac60a0][23]
      (Mon Jul 10 16:02:24 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
      (Mon Jul 10 16:02:24 2017) [sssd[pam]] [client_close_fn] (0x2000): Terminated client [0x7fe3abac60a0][23]

Thanks in advance!