We've recently started receiving a lot of complaints from users about broadcast messages of the form:
Message from syslogd@hostname at Dec 4 09:08:35 ... sssd[be[domain.lan]]:Group Policy Container with DN [cn={66062A26-FA18-4C56-A7E1-B22209856319},cn=policies,cn=system,DC=domain,DC=lan] is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO.See 'man ad_gpo_ignore_unreadable for details.'
We've reviewed the AD object with that DN and determined that they are scoped to specific sets of workstations using AD groups, such as "Domain Laptops". As far as we can tell, this is entirely normal, and there's no reason to log an error, much less broadcast a message to every open terminal every time GPOs are processed.
I'm aware of the ad_gpo_ignore_unreadable setting, but the default seems to be the wrong behavior, and I'd like to suggest changing that.
sssd-users@lists.fedorahosted.org