From your description the setup should work. Can you send full
(sanitized) logs? Mostly the domain and gpo_child logs are interesting
here, but for simplicity you can send all logs:
- stop sssd
- remove cached files in:
rm -r /var/lib/sss/gpo_cache/*
rm -r /var/lib/sss/db/*
- set debug_level in domain section in /etc/sssd/sssd.conf to 10
- reproduce issue
- send logs from /var/log/sssd/
- if you remove the single computer policy, does the "generic" policy
apply as expected to the affected computer in question?
On 05/25/2018 08:58 PM, Max DiOrio wrote:
So it seems that I’m having an issue with GPO processing. I have an OU
(Servers/Infrastructure) that contains a few servers. In this OU, I have a few GPO’s
Once is “generic” that should applied to every server in this OU - which allows Remote
Interactive Login and Logon Locally to Domain Admins.
I also have a GPO that applies to a specific server in this out that grants access to a
service account to log on to terminal services and log on as a service. For this GPO, I
have a security filter to the specific computer object it is supposed to apply to - and I
think this is the root of my issue.
The GPOs are listed
1) Infrastructure servers Access Control (that should apply to them all)
2) Single Computer policy for service account
When looking at the sssd_domain logs, I can see that it’s processing both GPO’s, but only
adding the account from policy 2 to the ad_gpo_access_check, meaning domain admins can’t
log in to either server, only the service account can to both of them.
So we have multiple issues:
1) It’s not combining the GPO access policies, but only taking the last one found
2) It’s not abiding by the Security Filtering on the GPO
So in my case - how would I go about making this work? Would I need a separate GPO for
each server I want to apply individual rights to and explicitly include the domain admins
group in it, then using delegation allow the single computer read and deny read of every
Seems like this also means you can’t do GPO inheritance if it only takes the last found
GPO and ignores the settings configured in previous GPO’s it checked.
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines