Well it seems that after letting the machines sit all night, that I was able to log in fine this morning.  On one machine SUDO is working fine, the other it's not.  Had to restart sssd on the non-working one and everything is back to normal.  

gpo_child.log absolutely wouldn't populate yesterday after I joined to the domain and the gpo_cache was empty until this morning.

On Fri, Feb 24, 2017 at 6:49 AM, Michal Židek <mzidek@redhat.com> wrote:

On 02/24/2017 12:44 PM, Lukas Slebodnik wrote:
On (23/02/17 14:23), Max DiOrio wrote:
So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA
domain.  I cloned them, renamed them, new IP's etc, and uninstalled the IPA
client successfully.

I then joined them to our AD domain using realm join like I have other
machines.  I matched settings in sssd.conf and nsswitch.conf and I can
kinit and id users without any issues.

My problem is that nobody can log into using their AD credentials because
access is based on GPO and for some reason this server isn't able to get
the GPO:

(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_connect_done] (0x4000): server_hostname from uri:
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such
file or directory)
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_access_done] (0x0040): GPO-based access control failed.

Server is in an OU that is covered by my access policy GPO.  GP Modeling
shows that the correct policy would apply.

Could you provide log fils with higher debug level(7 should be enough)?

Level 9 would be better.


Please provide domain log file and gpo_child.log

sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org