the only
GPO-related
bug after the 1.12.3 release was
https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)
I don't have a Windows AD, but I can definitely try to set up one
on our test environment.
But that s gonna take some time.
I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see
if it worked :-)
Once I have everything working as it should I will revise the settings
before I deploy it on all our linux machines.
You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to
those you defined on the sever side?
[root@pdc Policies]# ls
{31B2F340-016D-11D2-945F-00C04FB984F9} - This is the Default Policy (
empty )
{691A69C9-FEF3-4A42-8129-64E8741F9D2C} - Other Policy, not for this OU
{6AC1786C-016F-11D2-945F-00C04FB984F9} - Same
{D49E3752-2ECB-42F6-A418-2AE1F3092929} - This is the Policy containing
the deny rules for user Testuser (Deny log on locally and Deny log on
through Remote Desktop )
{E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)
OK, access was denied but since both the flags and the func_version were
value we expect, I presume the code made it all the way to
ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately
there's not much logging there. I wonder if the GUIDs are correct? If
so, we can proceed with debugging, maybe with some instrumented build..
There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names]
(0x4000): gpo_cse_guids[0] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
btw did you also try the other way around, only allow access?
Yes, same issue
Regards and thanks for the help!, Koen
On Fri, Jan 23, 2015 at 04:10:12PM +0100, Koen de Boeve wrote:
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is
working fine too.
I am now trying to use a Group Policy to deny access for 'testuser' for both
local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com
in there, I have one machine, called ITCOPY.
the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated
Users.
as you can see, I set access_control back to permissive, so I should see
some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
Hi Koen,
I don't have a complete answer, but I'll try to help and maybe we can
work out some details.
First, do you have an actual AD server around to test with? In the past
we've seen bugs with Samba that didn't occur with AD and I'm not sure if
anyone tried the GPO integration with Samba..
The SSSD version you're running is pretty recent, the only GPO-related
bug after the 1.12.3 release was
https://fedorahosted.org/sssd/ticket/2543
My sssd conf:
# =========================================
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
[domain/mydomain.com]
ad_domain = mydomain.com
ad_server = pdc.mydomain.com
krb5_realm = mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
debug_level = 9
enumerate = True
I would advice against enumerate=True in large environments.
access_provider = ad
#ad_access_filter =
(&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive
ldap_schema = ad
You can drop ldap_schema=ad, it's already the default for id_provider=ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman
# =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x0400): service sshd maps to Remote Interactive
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x4000): server_hostname from uri: pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_connect_done]
(0x0400): sam_account_name is ITCOPY$
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is
cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com;
2]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com;
1]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]: [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com;
0]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to
those you defined on the sever side?
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path: \\mydomain.com\SysVol\mydomain.com\Policies\{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server: smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
Note that func_versions is 2 and flags is 0, same for the other GPO.
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
OK, access was denied but since both the flags and the func_version were
value we expect, I presume the code made it all the way to
ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately
there's not much logging there. I wonder if the GUIDs are correct? If
so, we can proceed with debugging, maybe with some instrumented build..
btw did you also try the other way around, only allow access?
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd
is
working fine too.
I am now trying to use a Group Policy to deny access for 'testuser'
for
both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to
OU=Linux,OU=Servers,DC=mydomain,DC=com
in there, I have one machine, called ITCOPY.
the GPO sets Deny Logon and Deny Remote Desktop access for
MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is
Authenticated
Users.
as you can see, I set access_control back to permissive, so I should
see
some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf:
# =========================================
[sssd]
domains = mydomain.com
config_file_version = 2
services = nss, pam
[domain/mydomain.com]
ad_domain = mydomain.com
ad_server = pdc.mydomain.com
krb5_realm = mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
debug_level = 9
enumerate = True
access_provider = ad
#ad_access_filter =
(&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman
# =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_access_send]
(0x0400): service sshd maps to Remote Interactive
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_access_send]
(0x4000): server_hostname from uri: pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is
cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com;
2]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com;
1]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com;
0]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next
SOM
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn:
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn:
cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path:
\\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:
smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path:
\\mydomain.com\SysVol\mydomain.com\Policies\{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:
smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl
filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_access_done]
(0x0400): GPO-based access control successful.