[SSSD-users] Re: ����: Re: The Direct Integration between SSSD and Active Directory , Access Control via GPO, logon to server failed uncertain

Thu, 13 Jul 2017 07:17:53 -0700 

On 07/12/2017 04:36 PM, Jakub Hrozek wrote:

On Tue, Jul 11, 2017 at 07:22:41AM +0000, 程 波 wrote:

程 波 已与你共享 OneDrive 文件。若要查看,请单击下面的链接。


<https://1drv.ms/u/s!AnBXPe2fk7BFjDE6MV_iHeIJ6Xub>
[https://r1.res.office365.com/owa/prem/images/dc-generic_20.png]<https://1drv.ms/u/s!AnBXPe2fk7BFjDE6MV_iHeIJ6Xub>

sssd_mydomain.com.log<https://1drv.ms/u/s!AnBXPe2fk7BFjDE6MV_iHeIJ6Xub>




the debug log attached.


 From the debug logs:
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [gpo_cse_done] (0x0020): 
ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]


The above means that the GPO child response does not have expected
format. gpo_child.log (in the same directory as domain log) could
provide more info.

Michal


(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [ad_gpo_cse_done] (0x0400): 
gpo_guid: {241B7E35-2AA1-4004-A82B-DA333FE6DC2C}
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [ad_gpo_cse_done] (0x0040): 
Unable to retrieve policy data: [22](Invalid argument}
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [ad_gpo_access_done] 
(0x0040): GPO-based access control failed.
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [dp_req_done] (0x0400): DP 
Request [PAM Account #3]: Request handler finished [0]: Success
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [_dp_req_recv] (0x0400): DP 
Request [PAM Account #3]: Receiving request data.
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [dp_req_destructor] 
(0x0400): DP Request [PAM Account #3]: Request removed.
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [dp_req_destructor] 
(0x0400): Number of active DP request: 0
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [dp_method_enabled] 
(0x0400): Target selinux is not configured
(Tue Jul 11 15:08:25 2017) [sssd[be[mydomain.com]]] [dp_pam_reply] (0x1000): DP 
Request [PAM Account #3]: Sending result [4][mydomain.com]

So there was some error during access control. If you are not using GPO
access control from your Windows domain, then you can disable the GPO
processing with:
     ad_gpo_access_control = permissive

I don't know specifically what causes the error. Maybe Michal knows?
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]


_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to