hmm weird, the logs say that there s no access to the GPT.INI file...

when I use smbclient \\\\<servername\\SysVol -Utestuser1

I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI
without a problem...

but attached is the gpo_child.log

Regards, Koen
Sumit Bose
26 Jan 2015 11:25

"[child_sig_handler] (0x0020): child [18130] failed with status [1]."

Can you send the gpo child logs as well?

bye,   
Sumit
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Koen de Boeve
26 Jan 2015 10:54
Hi Jacub,

I have a windows AD setup now (Windows 2012 R2). But it still isnt working( different error though).
I Have setup another CentOS 7 box with sssd version 1.12.3 and bound it to this domain.

This is the sssd.conf:

[sssd]
domains = GLXTMP.COM
config_file_version = 2
services = nss, pam

[domain/GLXTMP.COM]
ad_domain = GLXTMP.COM
krb5_realm = GLXTMP.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u

debug_level = 9

enumerate = True

access_provider = ad
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive


=========================

Now the log file finds a GPO that is applicable:

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO applicable to target per security filtering
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): examining cse candidate_gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): GPO applicable to target per cse_guid filtering
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): num_cse_filtered_gpos: 1
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c0717020

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c0716220

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c0717020 "ltdb_callback"

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c0716220 "ltdb_timeout"

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c0717020 "ltdb_callback"

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): No GPO Result object.
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x4000): cse_filtered_gpos[0]->gpo_cse_guids[0]->gpo_guid is {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://win-leje3vd828k.glxtmp.com
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_path: /GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164}
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}]
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb

But finally it is failing anyway:


(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c071b260

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c07134d0

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c071b260 "ltdb_callback"

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c07134d0 "ltdb_timeout"

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c071b260 "ltdb_callback"

(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): No such entry.
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): ENOENT
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: -1
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [create_cse_send_buffer] (0x4000): buffer size: 167
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [18130]
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [18130]
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f96c06d7260], connected[1], ops[(nil)], ldap[0x7f96c06a3d10]
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [write_pipe_handler] (0x0400): All data has been sent!
(Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]
(Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164}
(Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument}
(Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.

I added the full sssd log in case you want a look in there.


23 Jan 2015 21:57
Hi Jacub,

Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent,
the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)

I don't have a Windows AD, but I can definitely try to set up one on our test environment.

But that s gonna take some time.

I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-)
Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !

Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to
those you defined on the sever side?

[root@pdc Policies]# ls
{31B2F340-016D-11D2-945F-00C04FB984F9}  - This is the Default Policy ( empty )
{691A69C9-FEF3-4A42-8129-64E8741F9D2C}  - Other Policy, not for this OU
{6AC1786C-016F-11D2-945F-00C04FB984F9}  - Same
{D49E3752-2ECB-42F6-A418-2AE1F3092929}  - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop )
{E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were
value we expect, I presume the code made it all the way to
ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately
there's not much logging there. I wonder if the GUIDs are correct? If
so, we can proceed with debugging, maybe with some instrumented build..

There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} 
btw did you also try the other way around, only allow access? 
Yes, same issue

Regards and thanks for the help!, Koen
23 Jan 2015 21:03
On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,

I am having issues getting remote and local GPO restrictions to work

I am using:

- 2 Samba 4.1.16  PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.

other GPO's are working fine for windows machines.

Authentication against the Samba4 Domain on the testclient with sssd is
working fine too.
I am now trying to use a Group Policy to deny access for 'testuser' for both
local login as well as remote login ( ssh and xrdp )

This is not working at all.

I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com
in there, I have one machine, called ITCOPY.
the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser

The GPO is set to be Enforced and the Security target is Authenticated
Users.

as you can see, I set access_control back to permissive, so I should see
some indication that the GPO is working in the log file.

Any help would be much appreciated!

Regards, Koen

Hi Koen,

I don't have a complete answer, but I'll try to help and maybe we can
work out some details. 

First, do you have an actual AD server around to test with? In the past
we've seen bugs with Samba that didn't occur with AD and I'm not sure if
anyone tried the GPO integration with Samba..

The SSSD version you're running is pretty recent, the only GPO-related
bug after the 1.12.3 release was
https://fedorahosted.org/sssd/ticket/2543

My sssd conf:
# =========================================
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam

[domain/mydomain.com]
ad_domain = mydomain.com
ad_server = pdc.mydomain.com
krb5_realm = mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
debug_level = 9

enumerate = True

I would advice against enumerate=True in large environments.

access_provider = ad
#ad_access_filter =
(&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive

ldap_schema = ad

You can drop ldap_schema=ad, it's already the default for id_provider=ad

dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

ad_gpo_map_remote_interactive = +xrdp-sesman
# =====================================

This is part of the sssd log file:

(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x0400): service sshd maps to Remote Interactive
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x4000): server_hostname from uri: pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done]
(0x0400): sam_account_name is ITCOPY$
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is
cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com;
2]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com;
1]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com;
0]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com

Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to
those you defined on the sever side?

(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\SysVol\mydomain.com\Policies\{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0

Note that func_versions is 2 and flags is 0, same for the other GPO.

(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering

OK, access was denied but since both the flags and the func_version were
value we expect, I presume the code made it all the way to
ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately
there's not much logging there. I wonder if the GUIDs are correct? If
so, we can proceed with debugging, maybe with some instrumented build..

btw did you also try the other way around, only allow access? 
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
23 Jan 2015 16:10
Hi all,

I am having issues getting remote and local GPO restrictions to work

I am using:

- 2 Samba 4.1.16  PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.

other GPO's are working fine for windows machines.

Authentication against the Samba4 Domain on the testclient with sssd is working fine too.
I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )

This is not working at all.

I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com
in there, I have one machine, called ITCOPY.
the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser

The GPO is set to be Enforced and the Security target is Authenticated Users.

as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.

Any help would be much appreciated!

Regards, Koen


My sssd conf:
# =========================================
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam

[domain/mydomain.com]
ad_domain = mydomain.com
ad_server = pdc.mydomain.com
krb5_realm = mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
debug_level = 9

enumerate = True

access_provider = ad
#ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive

ldap_schema = ad

dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

ad_gpo_map_remote_interactive = +xrdp-sesman
# =====================================

This is part of the sssd log file:

(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\SysVol\mydomain.com\Policies\{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.
Koen de Boeve
23 Jan 2015 21:57
Hi Jacub,

Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)

I don't have a Windows AD, but I can definitely try to set up one on our test environment.

But that s gonna take some time.

I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-)
Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !

Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to
those you defined on the sever side?

[root@pdc Policies]# ls
{31B2F340-016D-11D2-945F-00C04FB984F9}  - This is the Default Policy ( empty )
{691A69C9-FEF3-4A42-8129-64E8741F9D2C}  - Other Policy, not for this OU
{6AC1786C-016F-11D2-945F-00C04FB984F9}  - Same
{D49E3752-2ECB-42F6-A418-2AE1F3092929}  - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop )
{E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were
value we expect, I presume the code made it all the way to
ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately
there's not much logging there. I wonder if the GUIDs are correct? If
so, we can proceed with debugging, maybe with some instrumented build..

There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} 
btw did you also try the other way around, only allow access? 
Yes, same issue

Regards and thanks for the help!, Koen
Jakub Hrozek
23 Jan 2015 21:03
On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,

I am having issues getting remote and local GPO restrictions to work

I am using:

- 2 Samba 4.1.16  PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.

other GPO's are working fine for windows machines.

Authentication against the Samba4 Domain on the testclient with sssd is
working fine too.
I am now trying to use a Group Policy to deny access for 'testuser' for both
local login as well as remote login ( ssh and xrdp )

This is not working at all.

I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com
in there, I have one machine, called ITCOPY.
the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser

The GPO is set to be Enforced and the Security target is Authenticated
Users.

as you can see, I set access_control back to permissive, so I should see
some indication that the GPO is working in the log file.

Any help would be much appreciated!

Regards, Koen

Hi Koen,

I don't have a complete answer, but I'll try to help and maybe we can
work out some details. 

First, do you have an actual AD server around to test with? In the past
we've seen bugs with Samba that didn't occur with AD and I'm not sure if
anyone tried the GPO integration with Samba..

The SSSD version you're running is pretty recent, the only GPO-related
bug after the 1.12.3 release was
https://fedorahosted.org/sssd/ticket/2543

My sssd conf:
# =========================================
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam

[domain/mydomain.com]
ad_domain = mydomain.com
ad_server = pdc.mydomain.com
krb5_realm = mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
debug_level = 9

enumerate = True

I would advice against enumerate=True in large environments.

access_provider = ad
#ad_access_filter =
(&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive

ldap_schema = ad

You can drop ldap_schema=ad, it's already the default for id_provider=ad

dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

ad_gpo_map_remote_interactive = +xrdp-sesman
# =====================================

This is part of the sssd log file:

(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x0400): service sshd maps to Remote Interactive
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x4000): server_hostname from uri: pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done]
(0x0400): sam_account_name is ITCOPY$
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is
cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com;
2]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com;
1]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com;
0]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com

Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to
those you defined on the sever side?

(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\SysVol\mydomain.com\Policies\{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0

Note that func_versions is 2 and flags is 0, same for the other GPO.

(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering

OK, access was denied but since both the flags and the func_version were
value we expect, I presume the code made it all the way to
ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately
there's not much logging there. I wonder if the GUIDs are correct? If
so, we can proceed with debugging, maybe with some instrumented build..

btw did you also try the other way around, only allow access? 
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Koen de Boeve
23 Jan 2015 16:10
Hi all,

I am having issues getting remote and local GPO restrictions to work

I am using:

- 2 Samba 4.1.16  PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.

other GPO's are working fine for windows machines.

Authentication against the Samba4 Domain on the testclient with sssd is working fine too.
I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )

This is not working at all.

I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com
in there, I have one machine, called ITCOPY.
the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser

The GPO is set to be Enforced and the Security target is Authenticated Users.

as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.

Any help would be much appreciated!

Regards, Koen


My sssd conf:
# =========================================
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam

[domain/mydomain.com]
ad_domain = mydomain.com
ad_server = pdc.mydomain.com
krb5_realm = mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
debug_level = 9

enumerate = True

access_provider = ad
#ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive

ldap_schema = ad

dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

ad_gpo_map_remote_interactive = +xrdp-sesman
# =====================================

This is part of the sssd log file:

(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\SysVol\mydomain.com\Policies\{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.