Following the 16.04 upgrade we had some pam / ad issues which were solved based on community answers (ie lockscreen, authentication).

We now have a new and critical one. We run a lot of RStudio Server instances. But we now get locked out with messages such as

May 24 16:10:10 serverXYZ rserver-pam[3632]: ERROR pam_acct_mgmt failed: \
   Permission denied; LOGGED FROM: \
   virtual int rstudio::core::system::PAM::login(const string&, const string&) \
   /home/ubuntu/rstudio/src/cpp/core/system/Pam.cpp:196

This is clearly the application, but then again the application had been running for several years and several Ubuntu upgrades with this pam / ad setup.

Any idea what I may need to add to the pam and/or sssd config files similar to the

ad_gpo_map_interactive = +unity, +polkit-1

line we added?

Edit on 2016-05-27: Following Ian's suggestion, here is the pamtester output:

xyz@serverXYZ:~$ sudo pamtester --verbose rstudio someuser authenticate acct_mgmt
pamtester: invoking pam_start(rstudio, someuser, ...)
pamtester: performing operation - authenticate
Password: 
pamtester: successfully authenticated
pamtester: performing operation - acct_mgmt
pamtester: Permission denied
xyz@serverXYZ:~$ 

So it authenticates, but is still denied. Any idea what could be the cause?

Also see my related question on PAM and cron which is equally frustrating.