Well it seems that after letting the machines sit all night, that I was able to log in fine this morning. On one machine SUDO is working fine, the other it's not. Had to restart sssd on the non-working one and everything is back to normal.
gpo_child.log absolutely wouldn't populate yesterday after I joined to the domain and the gpo_cache was empty until this morning. On Fri, Feb 24, 2017 at 6:49 AM, Michal Židek <[email protected]> wrote: > > > On 02/24/2017 12:44 PM, Lukas Slebodnik wrote: > >> On (23/02/17 14:23), Max DiOrio wrote: >> >>> So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA >>> domain. I cloned them, renamed them, new IP's etc, and uninstalled the >>> IPA >>> client successfully. >>> >>> I then joined them to our AD domain using realm join like I have other >>> machines. I matched settings in sssd.conf and nsswitch.conf and I can >>> kinit and id users without any issues. >>> >>> My problem is that nobody can log into using their AD credentials because >>> access is based on GPO and for some reason this server isn't able to get >>> the GPO: >>> >>> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >>> [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive >>> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >>> [ad_gpo_connect_done] (0x4000): server_hostname from uri: >>> la-2pdom02.internal.ieeeglobalspec.com >>> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >>> [ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$ >>> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >>> [ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master >>> domain >>> info >>> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >>> [ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such >>> file or directory) >>> (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] >>> [ad_gpo_access_done] (0x0040): GPO-based access control failed. >>> >>> >>> Server is in an OU that is covered by my access policy GPO. GP Modeling >>> shows that the correct policy would apply. >>> >>> Could you provide log fils with higher debug level(7 should be enough)? >> > > Level 9 would be better. > > Thanks > > > Please provide domain log file and gpo_child.log >> >> LS >> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
