On (23/02/17 14:23), Max DiOrio wrote:
> So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA
> domain. I cloned them, renamed them, new IP's etc, and uninstalled the IPA
> client successfully.
>
> I then joined them to our AD domain using realm join like I have other
> machines. I matched settings in sssd.conf and nsswitch.conf and I can
> kinit and id users without any issues.
>
> My problem is that nobody can log into using their AD credentials because
> access is based on GPO and for some reason this server isn't able to get
> the GPO:
>
> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
> [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive
> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
> [ad_gpo_connect_done] (0x4000): server_hostname from uri:
>
la-2pdom02.internal.ieeeglobalspec.com
> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
> [ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$
> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
> [ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain
> info
> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
> [ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such
> file or directory)
> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
> [ad_gpo_access_done] (0x0040): GPO-based access control failed.
>
>
> Server is in an OU that is covered by my access policy GPO. GP Modeling
> shows that the correct policy would apply.
>
Could you provide log fils with higher debug level(7 should be enough)?
Level 9 would be better.
Thanks
> Please provide domain log file and gpo_child.log
>
> LS