According to man sssd-ad, the default configuration of sssd should allow cron jobs to be run: --- ad_gpo_map_batch (string) A comma-separated list of PAM service names for which GPO-based access control is evaluated based on the BatchLogonRight and DenyBatchLogonRight policy settings.
Note: Using the Group Policy Management Editor this value is called "Allow log on as a batch job" and "Deny log on as a batch job". It is possible to add another PAM service name to the default set by using “+service_name” or to explicitly remove a PAM service name from the default set by using “-service_name”. For example, in order to replace a default PAM service name for this logon right (e.g. “crond”) with a custom pam service name (e.g. “my_pam_service”), you would use the following configuration: ad_gpo_map_batch = +my_pam_service, -crond Default: the default set of PAM service names includes: · crond --- Could it be that the service name in Ubuntu differs from the configured service name (crond). >From the log: Feb 8 10:40:01 host CRON[10308]: pam_sss(cron:account): Access denied for user someone: 6 (Permission denied) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1572908 Title: sssd-ad pam_sss(cron:account): Access denied for user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs