Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit - 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.
On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can work out some details.
First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
I would advice against enumerate=True in large environments.
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access?
Hi Jacub,
Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-) Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
[root@pdc Policies]# ls {31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy ( empty ) {691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU {6AC1786C-016F-11D2-945F-00C04FB984F9} - Same {D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop ) {E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A}
btw did you also try the other way around, only allow access?
Yes, same issue
Regards and thanks for the help!, Koen
Hi Jacub,
I have a windows AD setup now (Windows 2012 R2). But it still isnt working( different error though). I Have setup another CentOS 7 box with sssd version 1.12.3 and bound it to this domain.
This is the sssd.conf:
[sssd] domains = GLXTMP.COM config_file_version = 2 services = nss, pam
[domain/GLXTMP.COM] ad_domain = GLXTMP.COM krb5_realm = GLXTMP.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u
debug_level = 9
enumerate = True
access_provider = ad id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
=========================
Now the log file finds a GPO that is applicable:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): examining cse candidate_gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): GPO applicable to target per cse_guid filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): num_cse_filtered_gpos: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c0717020
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c0716220
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c0716220 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): No GPO Result object. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x4000): cse_filtered_gpos[0]->gpo_cse_guids[0]->gpo_guid is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://win-leje3vd828k.glxtmp.com (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_path: /GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb
But finally it is failing anyway:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c071b260
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c07134d0
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c07134d0 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): No such entry. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): ENOENT (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: -1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [create_cse_send_buffer] (0x4000): buffer size: 167 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f96c06d7260], connected[1], ops[(nil)], ldap[0x7f96c06a3d10] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument] (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
I added the full sssd log in case you want a look in there.
Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:57 Hi Jacub,
Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-) Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
[root@pdc Policies]# ls {31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy ( empty ) {691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU {6AC1786C-016F-11D2-945F-00C04FB984F9} - Same {D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop ) {E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} btw did you also try the other way around, only allow access? Yes, same issue
Regards and thanks for the help!, Koen Jakub Hrozek mailto:jhrozek@redhat.com 23 Jan 2015 21:03 On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can work out some details.
First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
I would advice against enumerate=True in large environments.
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 16:10 Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.
On Mon, Jan 26, 2015 at 10:54:19AM +0100, Koen de Boeve wrote:
Hi Jacub,
I have a windows AD setup now (Windows 2012 R2). But it still isnt working( different error though). I Have setup another CentOS 7 box with sssd version 1.12.3 and bound it to this domain.
This is the sssd.conf:
[sssd] domains = GLXTMP.COM config_file_version = 2 services = nss, pam
[domain/GLXTMP.COM] ad_domain = GLXTMP.COM krb5_realm = GLXTMP.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u
debug_level = 9
enumerate = True
access_provider = ad id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
=========================
"[child_sig_handler] (0x0020): child [18130] failed with status [1]."
Can you send the gpo child logs as well?
bye, Sumit
hmm weird, the logs say that there s no access to the GPT.INI file...
when I use smbclient \\<servername\SysVol -Utestuser1
I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI without a problem...
but attached is the gpo_child.log
Regards, Koen
Sumit Bose mailto:sbose@redhat.com 26 Jan 2015 11:25
"[child_sig_handler] (0x0020): child [18130] failed with status [1]."
Can you send the gpo child logs as well?
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 26 Jan 2015 10:54 Hi Jacub,
I have a windows AD setup now (Windows 2012 R2). But it still isnt working( different error though). I Have setup another CentOS 7 box with sssd version 1.12.3 and bound it to this domain.
This is the sssd.conf:
[sssd] domains = GLXTMP.COM config_file_version = 2 services = nss, pam
[domain/GLXTMP.COM] ad_domain = GLXTMP.COM krb5_realm = GLXTMP.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u
debug_level = 9
enumerate = True
access_provider = ad id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
=========================
Now the log file finds a GPO that is applicable:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): examining cse candidate_gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): GPO applicable to target per cse_guid filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): num_cse_filtered_gpos: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c0717020
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c0716220
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c0716220 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): No GPO Result object. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x4000): cse_filtered_gpos[0]->gpo_cse_guids[0]->gpo_guid is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://win-leje3vd828k.glxtmp.com (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_path: /GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb
But finally it is failing anyway:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c071b260
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c07134d0
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c07134d0 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): No such entry. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): ENOENT (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: -1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [create_cse_send_buffer] (0x4000): buffer size: 167 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f96c06d7260], connected[1], ops[(nil)], ldap[0x7f96c06a3d10] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument] (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
I added the full sssd log in case you want a look in there.
Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:57 Hi Jacub,
Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-) Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
[root@pdc Policies]# ls {31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy ( empty ) {691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU {6AC1786C-016F-11D2-945F-00C04FB984F9} - Same {D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop ) {E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} btw did you also try the other way around, only allow access? Yes, same issue
Regards and thanks for the help!, Koen Jakub Hrozek mailto:jhrozek@redhat.com 23 Jan 2015 21:03 On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can work out some details.
First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
I would advice against enumerate=True in large environments.
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 16:10 Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.
Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:57 Hi Jacub,
Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-) Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
[root@pdc Policies]# ls {31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy ( empty ) {691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU {6AC1786C-016F-11D2-945F-00C04FB984F9} - Same {D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop ) {E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} btw did you also try the other way around, only allow access? Yes, same issue
Regards and thanks for the help!, Koen Jakub Hrozek mailto:jhrozek@redhat.com 23 Jan 2015 21:03 On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can work out some details.
First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
I would advice against enumerate=True in large environments.
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 16:10 Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.
On Mon, Jan 26, 2015 at 11:53:35AM +0100, Koen de Boeve wrote:
hmm weird, the logs say that there s no access to the GPT.INI file...
when I use smbclient \\<servername\SysVol -Utestuser1
I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI without a problem...
iirc we use host credentials to read SysVol. Can you check if you see access denied with
kinit -k smbclient -k \\<servername\SysVol ...
as well.
bye, Sumit
but attached is the gpo_child.log
Regards, Koen
Sumit Bose mailto:sbose@redhat.com 26 Jan 2015 11:25
Hi Sumit,
If I try just kinit -k , I get: [root@lnx01 sssd]# kinit -k kinit: Client 'host/lnx01.glxtmp.com@GLXTMP.COM' not found in Kerberos database while getting initial credentials [root@lnx01 sssd]# host lnx01.glxtmp.com lnx01.glxtmp.com has address 10.0.234.100 [root@lnx01 sssd]# host 10.0.234.100 100.234.0.10.in-addr.arpa domain name pointer lnx01.glxtmp.com. same for any combination like:
kinit -k lnx01 or kinit -k lnx01.glxtmp.com
if I try kinit -k LNX01$ it works.
[root@lnx01 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_WnzXbeg Default principal: LNX01$@GLXTMP.COM
Valid starting Expires Service principal 01/26/2015 22:00:01 01/27/2015 08:00:01 krbtgt/GLXTMP.COM@GLXTMP.COM renew until 02/02/2015 22:00:01 [root@lnx01 ~]# smbclient -k \\win-leje3vd828k.glxtmp.com\SYSVOL OS=[Windows Server 2012 Standard Evaluation 9200] Server=[Windows Server 2012 Standard Evaluation 6.2] smb: > ls . D 0 Sun Jan 25 20:24:14 2015 .. D 0 Sun Jan 25 20:24:14 2015 GLXTMP.COM D 0 Sun Jan 25 20:24:14 2015
40607 blocks of size 1048576. 28261 blocks available smb: > cd GLXTMP.COM\ smb: \GLXTMP.COM> ls . D 0 Sun Jan 25 20:26:38 2015 .. D 0 Sun Jan 25 20:26:38 2015 DfsrPrivate DHS 0 Sun Jan 25 20:26:38 2015 Policies D 0 Sun Jan 25 21:18:44 2015 scripts D 0 Sun Jan 25 20:24:14 2015
40607 blocks of size 1048576. 28261 blocks available smb: \GLXTMP.COM> cd Policies\ smb: \GLXTMP.COM\Policies> ls . D 0 Sun Jan 25 21:18:44 2015 .. D 0 Sun Jan 25 21:18:44 2015 {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sun Jan 25 20:24:36 2015 {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sun Jan 25 20:24:36 2015 {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} D 0 Sun Jan 25 21:18:44 2015
40607 blocks of size 1048576. 28261 blocks available smb: \GLXTMP.COM\Policies> cd {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} smb: \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}> ls . D 0 Sun Jan 25 21:18:44 2015 .. D 0 Sun Jan 25 21:18:44 2015 GPT.INI A 59 Sun Jan 25 21:21:57 2015 Machine D 0 Sun Jan 25 21:19:03 2015 User D 0 Sun Jan 25 21:18:44 2015
40607 blocks of size 1048576. 28261 blocks available smb: \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}> get GPT.INI getting file \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}\GPT.INI of size 59 as GPT.INI (57.6 KiloBytes/sec) (average 57.6 KiloBytes/sec)
Regards, Koen
Sumit Bose mailto:sbose@redhat.com 26 Jan 2015 14:07 On Mon, Jan 26, 2015 at 11:53:35AM +0100, Koen de Boeve wrote:
hmm weird, the logs say that there s no access to the GPT.INI file...
when I use smbclient \\<servername\SysVol -Utestuser1
I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI without a problem...
iirc we use host credentials to read SysVol. Can you check if you see access denied with
kinit -k smbclient -k \\<servername\SysVol ...
as well.
bye, Sumit
but attached is the gpo_child.log
Regards, Koen
Sumit Bosemailto:sbose@redhat.com 26 Jan 2015 11:25
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 26 Jan 2015 11:53
hmm weird, the logs say that there s no access to the GPT.INI file...
when I use smbclient \\<servername\SysVol -Utestuser1
I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI without a problem...
but attached is the gpo_child.log
Regards, Koen Sumit Bose mailto:sbose@redhat.com 26 Jan 2015 11:25
"[child_sig_handler] (0x0020): child [18130] failed with status [1]."
Can you send the gpo child logs as well?
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 26 Jan 2015 10:54 Hi Jacub,
I have a windows AD setup now (Windows 2012 R2). But it still isnt working( different error though). I Have setup another CentOS 7 box with sssd version 1.12.3 and bound it to this domain.
This is the sssd.conf:
[sssd] domains = GLXTMP.COM config_file_version = 2 services = nss, pam
[domain/GLXTMP.COM] ad_domain = GLXTMP.COM krb5_realm = GLXTMP.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u
debug_level = 9
enumerate = True
access_provider = ad id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
=========================
Now the log file finds a GPO that is applicable:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): examining cse candidate_gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): GPO applicable to target per cse_guid filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): num_cse_filtered_gpos: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c0717020
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c0716220
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c0716220 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): No GPO Result object. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x4000): cse_filtered_gpos[0]->gpo_cse_guids[0]->gpo_guid is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://win-leje3vd828k.glxtmp.com (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_path: /GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb
But finally it is failing anyway:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c071b260
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c07134d0
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c07134d0 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): No such entry. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): ENOENT (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: -1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [create_cse_send_buffer] (0x4000): buffer size: 167 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f96c06d7260], connected[1], ops[(nil)], ldap[0x7f96c06a3d10] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument] (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
I added the full sssd log in case you want a look in there.
Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:57 Hi Jacub,
Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-) Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
[root@pdc Policies]# ls {31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy ( empty ) {691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU {6AC1786C-016F-11D2-945F-00C04FB984F9} - Same {D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop ) {E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} btw did you also try the other way around, only allow access? Yes, same issue
Regards and thanks for the help!, Koen Jakub Hrozek mailto:jhrozek@redhat.com 23 Jan 2015 21:03 On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can work out some details.
First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
I would advice against enumerate=True in large environments.
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 16:10 Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.
Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:57 Hi Jacub,
Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-) Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
[root@pdc Policies]# ls {31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy ( empty ) {691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU {6AC1786C-016F-11D2-945F-00C04FB984F9} - Same {D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop ) {E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} btw did you also try the other way around, only allow access? Yes, same issue
Regards and thanks for the help!, Koen
On Mon, Jan 26, 2015 at 10:26:14PM +0100, Koen de Boeve wrote:
Hi Sumit,
If I try just kinit -k , I get: [root@lnx01 sssd]# kinit -k kinit: Client 'host/lnx01.glxtmp.com@GLXTMP.COM' not found in Kerberos database while getting initial credentials [root@lnx01 sssd]# host lnx01.glxtmp.com lnx01.glxtmp.com has address 10.0.234.100 [root@lnx01 sssd]# host 10.0.234.100 100.234.0.10.in-addr.arpa domain name pointer lnx01.glxtmp.com. same for any combination like:
kinit -k lnx01 or kinit -k lnx01.glxtmp.com
if I try kinit -k LNX01$ it works.
ah, sorry, I should have mentioned that with AD you have to give the principal with the $ in it explicitly.
[root@lnx01 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_WnzXbeg Default principal: LNX01$@GLXTMP.COM
Valid starting Expires Service principal 01/26/2015 22:00:01 01/27/2015 08:00:01 krbtgt/GLXTMP.COM@GLXTMP.COM renew until 02/02/2015 22:00:01 [root@lnx01 ~]# smbclient -k \\win-leje3vd828k.glxtmp.com\SYSVOL OS=[Windows Server 2012 Standard Evaluation 9200] Server=[Windows Server 2012 Standard Evaluation 6.2] smb: > ls . D 0 Sun Jan 25 20:24:14 2015 .. D 0 Sun Jan 25 20:24:14 2015 GLXTMP.COM D 0 Sun Jan 25 20:24:14 2015
40607 blocks of size 1048576. 28261 blocks availablesmb: > cd GLXTMP.COM\ smb: \GLXTMP.COM> ls . D 0 Sun Jan 25 20:26:38 2015 .. D 0 Sun Jan 25 20:26:38 2015 DfsrPrivate DHS 0 Sun Jan 25 20:26:38 2015 Policies D 0 Sun Jan 25 21:18:44 2015 scripts D 0 Sun Jan 25 20:24:14 2015
40607 blocks of size 1048576. 28261 blocks availablesmb: \GLXTMP.COM> cd Policies\ smb: \GLXTMP.COM\Policies> ls . D 0 Sun Jan 25 21:18:44 2015 .. D 0 Sun Jan 25 21:18:44 2015 {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sun Jan 25 20:24:36 2015 {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sun Jan 25 20:24:36 2015 {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} D 0 Sun Jan 25 21:18:44 2015
40607 blocks of size 1048576. 28261 blocks availablesmb: \GLXTMP.COM\Policies> cd {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} smb: \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}> ls . D 0 Sun Jan 25 21:18:44 2015 .. D 0 Sun Jan 25 21:18:44 2015 GPT.INI A 59 Sun Jan 25 21:21:57 2015 Machine D 0 Sun Jan 25 21:19:03 2015 User D 0 Sun Jan 25 21:18:44 2015
40607 blocks of size 1048576. 28261 blocks availablesmb: \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}> get GPT.INI getting file \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}\GPT.INI of size 59 as GPT.INI (57.6 KiloBytes/sec) (average 57.6 KiloBytes/sec)
ok, so with proper authentication everything is working as expected. I guess Kerberos authentication fails and libsmbclient tries to continue without authentication as guest and gets access denied.
I'll try to reproduce, maybe this is relates to the recent changes to allow SSSD to run as non-root user. Is your sssd_be process running as root or as a different user?
bye, Sumit
Hi Sumit,
sssd runs as root
root 2920 2919 0 Jan26 ? 00:00:03 /usr/libexec/sssd/sssd_be --domain GLXTMP.COM --uid 0 --gid 0 --debug-to-files
Regards, Koen
Sumit Bose mailto:sbose@redhat.com 27 Jan 2015 09:37 On Mon, Jan 26, 2015 at 10:26:14PM +0100, Koen de Boeve wrote:
Hi Sumit,
If I try just kinit -k , I get: [root@lnx01 sssd]# kinit -k kinit: Client 'host/lnx01.glxtmp.com@GLXTMP.COM' not found in Kerberos database while getting initial credentials [root@lnx01 sssd]# host lnx01.glxtmp.com lnx01.glxtmp.com has address 10.0.234.100 [root@lnx01 sssd]# host 10.0.234.100 100.234.0.10.in-addr.arpa domain name pointer lnx01.glxtmp.com. same for any combination like:
kinit -k lnx01 or kinit -k lnx01.glxtmp.com
if I try kinit -k LNX01$ it works.
ah, sorry, I should have mentioned that with AD you have to give the principal with the $ in it explicitly.
[root@lnx01 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_WnzXbeg Default principal: LNX01$@GLXTMP.COM
Valid starting Expires Service principal 01/26/2015 22:00:01 01/27/2015 08:00:01 krbtgt/GLXTMP.COM@GLXTMP.COM renew until 02/02/2015 22:00:01 [root@lnx01 ~]# smbclient -k \\win-leje3vd828k.glxtmp.com\SYSVOL OS=[Windows Server 2012 Standard Evaluation 9200] Server=[Windows Server 2012 Standard Evaluation 6.2] smb: > ls . D 0 Sun Jan 25 20:24:14 2015 .. D 0 Sun Jan 25 20:24:14 2015 GLXTMP.COM D 0 Sun Jan 25 20:24:14 2015
40607 blocks of size 1048576. 28261 blocks availablesmb: > cd GLXTMP.COM\ smb: \GLXTMP.COM> ls . D 0 Sun Jan 25 20:26:38 2015 .. D 0 Sun Jan 25 20:26:38 2015 DfsrPrivate DHS 0 Sun Jan 25 20:26:38 2015 Policies D 0 Sun Jan 25 21:18:44 2015 scripts D 0 Sun Jan 25 20:24:14 2015
40607 blocks of size 1048576. 28261 blocks availablesmb: \GLXTMP.COM> cd Policies\ smb: \GLXTMP.COM\Policies> ls . D 0 Sun Jan 25 21:18:44 2015 .. D 0 Sun Jan 25 21:18:44 2015 {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sun Jan 25 20:24:36 2015 {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sun Jan 25 20:24:36 2015 {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} D 0 Sun Jan 25 21:18:44 2015
40607 blocks of size 1048576. 28261 blocks availablesmb: \GLXTMP.COM\Policies> cd {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} smb: \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}> ls . D 0 Sun Jan 25 21:18:44 2015 .. D 0 Sun Jan 25 21:18:44 2015 GPT.INI A 59 Sun Jan 25 21:21:57 2015 Machine D 0 Sun Jan 25 21:19:03 2015 User D 0 Sun Jan 25 21:18:44 2015
40607 blocks of size 1048576. 28261 blocks availablesmb: \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}> get GPT.INI getting file \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}\GPT.INI of size 59 as GPT.INI (57.6 KiloBytes/sec) (average 57.6 KiloBytes/sec)
ok, so with proper authentication everything is working as expected. I guess Kerberos authentication fails and libsmbclient tries to continue without authentication as guest and gets access denied.
I'll try to reproduce, maybe this is relates to the recent changes to allow SSSD to run as non-root user. Is your sssd_be process running as root or as a different user?
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Sumit Bose mailto:sbose@redhat.com 26 Jan 2015 14:07 On Mon, Jan 26, 2015 at 11:53:35AM +0100, Koen de Boeve wrote:
hmm weird, the logs say that there s no access to the GPT.INI file...
when I use smbclient \\<servername\SysVol -Utestuser1
I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI without a problem...
iirc we use host credentials to read SysVol. Can you check if you see access denied with
kinit -k smbclient -k \\<servername\SysVol ...
as well.
bye, Sumit
but attached is the gpo_child.log
Regards, Koen
Sumit Bosemailto:sbose@redhat.com 26 Jan 2015 11:25
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 26 Jan 2015 11:53
hmm weird, the logs say that there s no access to the GPT.INI file...
when I use smbclient \\<servername\SysVol -Utestuser1
I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI without a problem...
but attached is the gpo_child.log
Regards, Koen Sumit Bose mailto:sbose@redhat.com 26 Jan 2015 11:25
"[child_sig_handler] (0x0020): child [18130] failed with status [1]."
Can you send the gpo child logs as well?
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 26 Jan 2015 10:54 Hi Jacub,
I have a windows AD setup now (Windows 2012 R2). But it still isnt working( different error though). I Have setup another CentOS 7 box with sssd version 1.12.3 and bound it to this domain.
This is the sssd.conf:
[sssd] domains = GLXTMP.COM config_file_version = 2 services = nss, pam
[domain/GLXTMP.COM] ad_domain = GLXTMP.COM krb5_realm = GLXTMP.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u
debug_level = 9
enumerate = True
access_provider = ad id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
=========================
Now the log file finds a GPO that is applicable:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): examining cse candidate_gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): GPO applicable to target per cse_guid filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): num_cse_filtered_gpos: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c0717020
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c0716220
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c0716220 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): No GPO Result object. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x4000): cse_filtered_gpos[0]->gpo_cse_guids[0]->gpo_guid is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://win-leje3vd828k.glxtmp.com (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_path: /GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb
But finally it is failing anyway:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c071b260
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c07134d0
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c07134d0 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): No such entry. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): ENOENT (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: -1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [create_cse_send_buffer] (0x4000): buffer size: 167 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f96c06d7260], connected[1], ops[(nil)], ldap[0x7f96c06a3d10] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument] (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
I added the full sssd log in case you want a look in there.
Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:57 Hi Jacub,
Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-) Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
[root@pdc Policies]# ls {31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy ( empty ) {691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU {6AC1786C-016F-11D2-945F-00C04FB984F9} - Same {D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop ) {E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} btw did you also try the other way around, only allow access? Yes, same issue
Regards and thanks for the help!, Koen Jakub Hrozek mailto:jhrozek@redhat.com 23 Jan 2015 21:03 On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can work out some details.
First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
I would advice against enumerate=True in large environments.
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 16:10 Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.
Try my working config and let me know if you have better luck. You'll need to login as user@domain .
realm join and this config works for me. ------------------------------------------- [sssd] config_file_version = 2 services = nss, pam domains = $AD_DOMAIN1
[nss] filter_groups = root filter_users = root default_shell = /bin/bash
[pam]
[domain/$AD_DOMAIN1] debug_level = 0xFFF0 ad_domain = $AD_DOMAIN krb5_realm = $AD_SERVER_REALM ad_server = $AD_SERVER cache_credentials = True id_provider = ad krb5_store_password_if_offline = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad ad_gpo_access_control = enforcing -------------------------------------------
Dan
----- Original Message ----- From: "Koen de Boeve" koen@galaxystudios.com To: "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: Tuesday, January 27, 2015 4:01:13 AM Subject: Re: [SSSD-users] sssd-ad GPO not working
Hi Sumit,
sssd runs as root
root 2920 2919 0 Jan26 ? 00:00:03 /usr/libexec/sssd/sssd_be --domain GLXTMP.COM --uid 0 --gid 0 --debug-to-files
Regards, Koen
Sumit Bose 27 Jan 2015 09:37 On Mon, Jan 26, 2015 at 10:26:14PM +0100, Koen de Boeve wrote:
Hi Sumit,
If I try just kinit -k , I get: [root@lnx01 sssd]# kinit -k kinit: Client ' host/lnx01.glxtmp.com@GLXTMP.COM ' not found in Kerberos database while getting initial credentials [root@lnx01 sssd]# host lnx01.glxtmp.com lnx01.glxtmp.com has address 10.0.234.100 [root@lnx01 sssd]# host 10.0.234.100 100.234.0.10.in-addr.arpa domain name pointer lnx01.glxtmp.com. same for any combination like:
kinit -k lnx01 or kinit -k lnx01.glxtmp.com
if I try kinit -k LNX01$ it works. ah, sorry, I should have mentioned that with AD you have to give the principal with the $ in it explicitly.
[root@lnx01 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_WnzXbeg Default principal: LNX01$@GLXTMP.COM Valid starting Expires Service principal 01/26/2015 22:00:01 01/27/2015 08:00:01 krbtgt/GLXTMP.COM@GLXTMP.COM renew until 02/02/2015 22:00:01 [root@lnx01 ~]# smbclient -k \\win-leje3vd828k.glxtmp.com\SYSVOL OS=[Windows Server 2012 Standard Evaluation 9200] Server=[Windows Server 2012 Standard Evaluation 6.2] smb: > ls . D 0 Sun Jan 25 20:24:14 2015 .. D 0 Sun Jan 25 20:24:14 2015 GLXTMP.COM D 0 Sun Jan 25 20:24:14 2015
40607 blocks of size 1048576. 28261 blocks available smb: > cd GLXTMP.COM\ smb: \GLXTMP.COM> ls . D 0 Sun Jan 25 20:26:38 2015 .. D 0 Sun Jan 25 20:26:38 2015 DfsrPrivate DHS 0 Sun Jan 25 20:26:38 2015 Policies D 0 Sun Jan 25 21:18:44 2015 scripts D 0 Sun Jan 25 20:24:14 2015
40607 blocks of size 1048576. 28261 blocks available smb: \GLXTMP.COM> cd Policies\ smb: \GLXTMP.COM\Policies> ls . D 0 Sun Jan 25 21:18:44 2015 .. D 0 Sun Jan 25 21:18:44 2015 {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sun Jan 25 20:24:36 2015 {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sun Jan 25 20:24:36 2015 {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} D 0 Sun Jan 25 21:18:44 2015
40607 blocks of size 1048576. 28261 blocks available smb: \GLXTMP.COM\Policies> cd {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} smb: \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}> ls . D 0 Sun Jan 25 21:18:44 2015 .. D 0 Sun Jan 25 21:18:44 2015 GPT.INI A 59 Sun Jan 25 21:21:57 2015 Machine D 0 Sun Jan 25 21:19:03 2015 User D 0 Sun Jan 25 21:18:44 2015
40607 blocks of size 1048576. 28261 blocks available smb: \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}> get GPT.INI getting file \GLXTMP.COM\Policies{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}\GPT.INI of size 59 as GPT.INI (57.6 KiloBytes/sec) (average 57.6 KiloBytes/sec) ok, so with proper authentication everything is working as expected. I guess Kerberos authentication fails and libsmbclient tries to continue without authentication as guest and gets access denied.
I'll try to reproduce, maybe this is relates to the recent changes to allow SSSD to run as non-root user. Is your sssd_be process running as root or as a different user?
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Sumit Bose 26 Jan 2015 14:07 On Mon, Jan 26, 2015 at 11:53:35AM +0100, Koen de Boeve wrote:
hmm weird, the logs say that there s no access to the GPT.INI file...
when I use smbclient \\<servername\SysVol -Utestuser1
I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI without a problem... iirc we use host credentials to read SysVol. Can you check if you see access denied with
kinit -k smbclient -k \\<servername\SysVol ...
as well.
bye, Sumit
but attached is the gpo_child.log
Regards, Koen
Sumit Bose mailto:sbose@redhat.com 26 Jan 2015 11:25 _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Koen de Boeve 26 Jan 2015 11:53
hmm weird, the logs say that there s no access to the GPT.INI file...
when I use smbclient \\<servername\SysVol -Utestuser1
I can browse and get GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}/GPT.INI without a problem...
but attached is the gpo_child.log
Regards, Koen
Sumit Bose 26 Jan 2015 11:25
"[child_sig_handler] (0x0020): child [18130] failed with status [1]."
Can you send the gpo child logs as well?
bye, Sumit _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Koen de Boeve 26 Jan 2015 10:54 Hi Jacub,
I have a windows AD setup now (Windows 2012 R2). But it still isnt working( different error though). I Have setup another CentOS 7 box with sssd version 1.12.3 and bound it to this domain.
This is the sssd.conf:
[sssd] domains = GLXTMP.COM config_file_version = 2 services = nss, pam
[domain/GLXTMP.COM] ad_domain = GLXTMP.COM krb5_realm = GLXTMP.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u
debug_level = 9
enumerate = True
access_provider = ad id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
=========================
Now the log file finds a GPO that is applicable:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO applicable to target per security filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): examining cse candidate_gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_filter_gpos_by_cse_guid] (0x4000): GPO applicable to target per cse_guid filtering (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_process_gpo_done] (0x0400): num_cse_filtered_gpos: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c0717020
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c0716220
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c0716220 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c0717020 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_result_object] (0x4000): No GPO Result object. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[0]->gpo_guid is {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x4000): cse_filtered_gpos[0]->gpo_cse_guids[0]->gpo_guid is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://win-leje3vd828k.glxtmp.com (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): smb_path: /GLXTMP.COM/Policies/{AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{AC4A550E-DCD5-4C06-8B5C-29E51CD03164}] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): cn=gpos,cn=ad,cn=custom,cn=GLXTMP.COM,cn=sysdb
But finally it is failing anyway:
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f96c071b260
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f96c07134d0
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Running timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Destroying timer event 0x7f96c07134d0 "ltdb_timeout"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ldb] (0x4000): Ending timer event 0x7f96c071b260 "ltdb_callback"
(Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sysdb_gpo_get_gpo_by_guid] (0x4000): No such entry. (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): ENOENT (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: -1 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [create_cse_send_buffer] (0x4000): buffer size: 167 (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [child_handler_setup] (0x2000): Signal handler set up for pid [18130] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x7f96c06d7260], connected[1], ops[(nil)], ldap[0x7f96c06a3d10] (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jan 26 10:26:02 2015) [sssd[be[GLXTMP.COM]]] [write_pipe_handler] (0x0400): All data has been sent! (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [read_pipe_handler] (0x0400): EOF received, client finished (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument] (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {AC4A550E-DCD5-4C06-8B5C-29E51CD03164} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument} (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Mon Jan 26 10:26:03 2015) [sssd[be[GLXTMP.COM]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
I added the full sssd log in case you want a look in there.
Koen de Boeve 23 Jan 2015 21:57 Hi Jacub,
Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent,
the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543 Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments. We dont have a large environment, and I put it there, on purpose, to see if it worked :-) Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side? [root@pdc Policies]# ls {31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy ( empty ) {691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU {6AC1786C-016F-11D2-945F-00C04FB984F9} - Same {D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop ) {E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO. What does that mean? :-)
OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build.. There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} btw did you also try the other way around, only allow access? Yes, same issue
Regards and thanks for the help!, Koen
Jakub Hrozek 23 Jan 2015 21:03 On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit - 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can work out some details.
First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True I would advice against enumerate=True in large environments.
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering OK, access was denied but since both the flags and the func_version were value we expect, I presume the code made it all the way to ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately there's not much logging there. I wonder if the GUIDs are correct? If so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Koen de Boeve 23 Jan 2015 16:10 Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit - 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful.
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 23/01/15 15:10, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is working fine too. I am now trying to use a Group Policy to deny access for 'testuser' for both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com in there, I have one machine, called ITCOPY. the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated Users.
as you can see, I set access_control back to permissive, so I should see some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf: # ========================================= [sssd] domains = mydomain.com config_file_version = 2 services = nss, pam
[domain/mydomain.com] ad_domain = mydomain.com ad_server = pdc.mydomain.com krb5_realm = mydomain.com realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u debug_level = 9
enumerate = True
access_provider = ad #ad_access_filter = (&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*)) id_provider = ad auth_provider = ad chpass_provider = ad ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true dyndns_refresh_interval = 43200 dyndns_update_ptr = true dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman # =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send] (0x4000): server_hostname from uri: pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$ (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Linux,OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com; 2] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Servers,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com; 1] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com; 0] (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\sysvol\mydomain.com\Policies{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid: {D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_extract_smb_components] (0x4000): input_path: \mydomain.com\SysVol\mydomain.com\Policies{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): smb_path: /mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1 (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929} (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per security filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering (Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Can I ask if you are trying to get a linux machine to use a windows GPO ?
Rowland
Yes I am Rowland, well it is a separate Policy specifically for linux machines.
Regards, Koen
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 21:37
Can I ask if you are trying to get a linux machine to use a windows GPO ?
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thats the whole point of sssd-ad and the GPO settings though :-)
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 22:01 On 23/01/15 20:58, Koen de Boeve wrote:
Thought so, forget it, Linux knows absolutely nothing about GPO's
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:58 Yes I am Rowland, well it is a separate Policy specifically for linux machines.
Regards, Koen
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 21:37
Can I ask if you are trying to get a linux machine to use a windows GPO ?
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
the idea is that sssd reads the GPO and then on that basis either denies or allows access through its pam module At least, that s how I think it works - or should work - ;)
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 22:01 On 23/01/15 20:58, Koen de Boeve wrote:
Thought so, forget it, Linux knows absolutely nothing about GPO's
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:58 Yes I am Rowland, well it is a separate Policy specifically for linux machines.
Regards, Koen
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 21:37
Can I ask if you are trying to get a linux machine to use a windows GPO ?
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 23/01/15 21:10, Koen de Boeve wrote:
the idea is that sssd reads the GPO and then on that basis either denies or allows access through its pam module At least, that s how I think it works - or should work - ;)
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 22:01 On 23/01/15 20:58, Koen de Boeve wrote:
Thought so, forget it, Linux knows absolutely nothing about GPO's
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:58 Yes I am Rowland, well it is a separate Policy specifically for linux machines.
Regards, Koen
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 21:37
Can I ask if you are trying to get a linux machine to use a windows GPO ?
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
OK, I'll believe you, now could someone explain how sssd can read a GPO that is supposed to (as far as I know) alter the registry on a windows machine and use those settings on a Linux machine that does have anything like a registry ?
Rowland
On (23/01/15 21:24), Rowland Penny wrote:
On 23/01/15 21:10, Koen de Boeve wrote:
the idea is that sssd reads the GPO and then on that basis either denies or allows access through its pam module At least, that s how I think it works - or should work - ;)
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 22:01 On 23/01/15 20:58, Koen de Boeve wrote:
Thought so, forget it, Linux knows absolutely nothing about GPO's
Rowland
Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:58 Yes I am Rowland, well it is a separate Policy specifically for linux machines.
Regards, Koen
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 21:37
Can I ask if you are trying to get a linux machine to use a windows GPO ?
Rowland
OK, I'll believe you, now could someone explain how sssd can read a GPO that is supposed to (as far as I know) alter the registry on a windows machine and use those settings on a Linux machine that does have anything like a registry ?
Rowland
There is a design document[1] for GPO and pdf attachement in mail[2] contains "gpo data flow diagram".
All this information can be too technical.
HTH
LS
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration [2] https://lists.fedorahosted.org/pipermail/sssd-devel/2014-September/020758.ht...
On 23/01/15 21:31, Lukas Slebodnik wrote:
On (23/01/15 21:24), Rowland Penny wrote:
On 23/01/15 21:10, Koen de Boeve wrote:
the idea is that sssd reads the GPO and then on that basis either denies or allows access through its pam module At least, that s how I think it works - or should work - ;)
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 22:01 On 23/01/15 20:58, Koen de Boeve wrote:
Thought so, forget it, Linux knows absolutely nothing about GPO's
Rowland
Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:58 Yes I am Rowland, well it is a separate Policy specifically for linux machines.
Regards, Koen
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 21:37
Can I ask if you are trying to get a linux machine to use a windows GPO ?
Rowland
OK, I'll believe you, now could someone explain how sssd can read a GPO that is supposed to (as far as I know) alter the registry on a windows machine and use those settings on a Linux machine that does have anything like a registry ?
Rowland
There is a design document[1] for GPO and pdf attachement in mail[2] contains "gpo data flow diagram".
All this information can be too technical.
HTH
LS
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration [2] https://lists.fedorahosted.org/pipermail/sssd-devel/2014-September/020758.ht... _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
OK, what about user walking up to unix machine and logging in ? what about ssh ? wouldn't it be easier to just change the users login shell to /bin/false ?
Rowland
On Fri, 23 Jan 2015 21:54:18 +0000 Rowland Penny repenny241155@gmail.com wrote:
OK, what about user walking up to unix machine and logging in ? what about ssh ? wouldn't it be easier to just change the users login shell to /bin/false ?
No, because you may be allowed to login locally but not via ssh, changing the shell is a binary option.
Simo.
sssd gpo supports all what pam supports, so you can have users able to login locally , but not ssh or the other way round.
Why not change the login shell:
the user might be a web admin, so needs access to a range of linux boxes, running webservers, but not on the mail servers for example. if you have to maintain a lot of machines, it is just easier and less error prone to also be able to manage the access from a central point.
This way, it is just a matter of moving the web servers in the right OU and all web admins have automatically access to the web servers, etc...
if you only have a few machines, you might as well change it on the machine itself. In my specific situation: I create a lot of virtual machines from 1 or 2 templates When I get sssd-ad and GPO working, I dont need any modification whatsoever. I just assign the machine to a specific department and all the right people have access to only their set of machines.
Regards, Koen
Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 22:54
OK, what about user walking up to unix machine and logging in ? what about ssh ? wouldn't it be easier to just change the users login shell to /bin/false ?
Rowland _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Lukas Slebodnik mailto:lslebodn@redhat.com 23 Jan 2015 22:31
There is a design document[1] for GPO and pdf attachement in mail[2] contains "gpo data flow diagram".
All this information can be too technical.
HTH
LS
[1] https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration [2] https://lists.fedorahosted.org/pipermail/sssd-devel/2014-September/020758.ht... _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 22:24 On 23/01/15 21:10, Koen de Boeve wrote:
OK, I'll believe you, now could someone explain how sssd can read a GPO that is supposed to (as far as I know) alter the registry on a windows machine and use those settings on a Linux machine that does have anything like a registry ?
Rowland _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Rowland Penny mailto:repenny241155@gmail.com 23 Jan 2015 22:01 On 23/01/15 20:58, Koen de Boeve wrote:
Thought so, forget it, Linux knows absolutely nothing about GPO's
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Koen de Boeve mailto:koen@galaxystudios.com 23 Jan 2015 21:58 Yes I am Rowland, well it is a separate Policy specifically for linux machines.
Regards, Koen
sssd-users@lists.fedorahosted.org
-
Dan Lavu -
Jakub Hrozek -
Koen de Boeve -
Lukas Slebodnik -
Rowland Penny -
Simo Sorce -
Sumit Bose