[Sssd-maintainers] [Bug 2168743] Known valid Windows AD Domain credential refused for domain "joined" F37 workstation

13 Feb 2023


      https://bugzilla.redhat.com/show_bug.cgi?id=2168743
--- Comment #12 from Sumit Bose sbose@redhat.com ---
Hi,
it looks like I got irritated by the 'Error (5) on line 16: Equal sign is
missing.' messages and forgot the read the attached log properly.
The reason for '[RID#5] GPO access check failed: [1432158236](Host Access
Denied)' is not the parsing of the GPO file, this in fact worked, because after
receiving the parsing error SSSD tries again to read the GPO file with a
special option to ignore everything which is not a key-value pair, i.e. ignore
lines without an '=' sign.
The reason can be seen here:
*  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] RESULTANT POLICY:
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] gpo_map_type: Interactive
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] allowed_size = 6
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] allowed_sids[0] = S-1-5-21-2272066503-1558053515-3376931032-1153
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] allowed_sids[1] = S-1-5-32-550
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] allowed_sids[2] = S-1-5-32-549
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] allowed_sids[3] = S-1-5-32-548
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] allowed_sids[4] = S-1-5-32-551
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] allowed_sids[5] = S-1-5-32-544
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] denied_size = 0
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] CURRENT USER:
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]        user_sid = S-1-5-21-2272066503-1558053515-3376931032-1159
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[0] = S-1-5-21-2272066503-1558053515-3376931032-1106
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[1] = S-1-5-21-2272066503-1558053515-3376931032-1104
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[2] = S-1-5-21-2272066503-1558053515-3376931032-2102
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[3] = S-1-5-21-2272066503-1558053515-3376931032-2101
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[4] = S-1-5-21-2272066503-1558053515-3376931032-513
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[5] = S-1-5-21-2272066503-1558053515-3376931032-1103
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[6] = S-1-5-21-2272066503-1558053515-3376931032-1160
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[7] = S-1-5-21-2272066503-1558053515-3376931032-2103
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[8] = S-1-5-21-2272066503-1558053515-3376931032-2104
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   group_sids[9] = S-1-5-11
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5] POLICY DECISION:
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]  access_granted = 0
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_access_check] (0x0400):
[RID#5]   access_denied = 0
   *  (2023-02-09 15:26:27): [be[TCLC.org]] [ad_gpo_perform_hbac_processing]
(0x0040): [RID#5] GPO access check failed: [1432158236](Host Access Denied)
So the GPO is expecting that the user is a member of the group with the SID
'S-1-5-21-2272066503-1558053515-3376931032-1153' but the current
group-membership of the user does not include this group and access is denied.
What kind of group is the group with the SID
'S-1-5-21-2272066503-1558053515-3376931032-1153' and is it expected that the
user is a member of this group?
From the logs it looks like the PAC was used to determine the group
memberships. Can you share your sssd.conf? I'm asking because PAC evaluation
was added recently to be on par with additional PAC checks Windows clients
started to apply recently as well and you might have configured a different
group-membership scheme which might not work with the memberships recorded in
the PAC.
As a workaround you might want to try to set:
pac_check = no_check
in the [pac] section of sssd.conf and
implicit_pac_responder = false
in the [sssd] section of sssd.conf, restart SSSD with removing the cache and
try again.
bye,
Sumit
-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2168743

2026

2025

2024

2023

2022

2021

2020

[Sssd-maintainers] [Bug 2168743] Known valid Windows AD Domain credential refused for domain "joined" F37 workstation