Sssd experts,

We have an AD-based sssd configuration that is working.  For RHEL6, 7 and 8.

We've done thorough lab testing + pilot projects.  All good (with certain RHEL6 restrictions).

Currently, we're using access_provider = simple, with the appropriate simple_allow_groups and simple_allow_users lines in /etc/sssd/sssd.conf.  Works fine.

A reviewer mentioned we should be using access_provider = ad + /etc/security/access.conf file to restrict access.  (We have in our pam stack already, to disallow direct root login and other limited uses.)  

Obviously that second approach would work too.

The claim is the first approach would allow in AD accounts with expired passwords and locked accounts.  Whereas the second approach would not.

I'm attempting to test this claim -- I have an account I can lock easily.  But does anyone have any best practices for access_provider?  

The advantage of this first approach is that it's already coded and thoroughly tested.  The pilot projects use this.

The one advantage of the second approach that I'm certain of is that RHEL6 does not have a realm permit command.  So to permit a user or group in RHEL6 using the first approach is different between RHEL6 and 7/8.  (To me, that's not huge.)