On (23/02/17 14:23), Max DiOrio wrote: >So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA >domain. I cloned them, renamed them, new IP's etc, and uninstalled the IPA >client successfully. > >I then joined them to our AD domain using realm join like I have other >machines. I matched settings in sssd.conf and nsswitch.conf and I can >kinit and id users without any issues. > >My problem is that nobody can log into using their AD credentials because >access is based on GPO and for some reason this server isn't able to get >the GPO: > >(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >[ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive >(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >[ad_gpo_connect_done] (0x4000): server_hostname from uri: >la-2pdom02.internal.ieeeglobalspec.com >(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >[ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$ >(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >[ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain >info >(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >[ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such >file or directory) >(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >[ad_gpo_access_done] (0x0040): GPO-based access control failed. > > >Server is in an OU that is covered by my access policy GPO. GP Modeling >shows that the correct policy would apply. > Could you provide log fils with higher debug level(7 should be enough)? Please provide domain log file and gpo_child.log
LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
