When the NoMachine server host is part of an Active Directory domain and the user is an AD user, attempts to log-in by using the NX protocol fails with 'access denied'. Authentication is succeded but the account validation fails.
System logs report messages like:
auth.log:Nov 27 11:06:37 lt01-lab nxexec: pam_krb5(nx:auth): user nxtest01 authenticated as firstname.lastname@example.org
auth.log:Nov 27 11:06:37 lt01-lab nxexec: pam_sss(nx:account): Access denied for user nxtest01: 6 (Permission denied)
auth.log:Nov 27 11:06:37 lt01-lab nxexec: pam_unix(nx:session): session opened for user nxtest01 by (uid=117)
auth.log:Nov 27 11:06:38 lt01-lab nxexec: pam_unix(nx:session): session closed for user nxtest01
This behavior is strictly related to the fact that the NoMachine nx service is not recognized by the Active Directory Group Policy.
As a workaround, edit the /etc/sssd/sssd.conf file on the system and add the following line:
ad_gpo_map_network = +nx