Hi all,
I am having issues getting remote and local GPO restrictions to work
I am using:
- 2 Samba 4.1.16 PDC's on CentOS 6.5 64bit
- 1 CentOS 7 installation with sssd 1.12.3. as testclient.
other GPO's are working fine for windows machines.
Authentication against the Samba4 Domain on the testclient with sssd is
working fine too.
I am now trying to use a Group Policy to deny access for 'testuser' for
both local login as well as remote login ( ssh and xrdp )
This is not working at all.
I created a GPO which I linked to OU=Linux,OU=Servers,DC=mydomain,DC=com
in there, I have one machine, called ITCOPY.
the GPO sets Deny Logon and Deny Remote Desktop access for MYDOMAIN\testuser
The GPO is set to be Enforced and the Security target is Authenticated
Users.
as you can see, I set access_control back to permissive, so I should see
some indication that the GPO is working in the log file.
Any help would be much appreciated!
Regards, Koen
My sssd conf:
# =========================================
[sssd]
domains =
mydomain.com
config_file_version = 2
services = nss, pam
[
domain/mydomain.com]
ad_domain =
mydomain.com
ad_server =
pdc.mydomain.com
krb5_realm =
mydomain.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
debug_level = 9
enumerate = True
access_provider = ad
#ad_access_filter =
(&(memberOf=CN=linuxadmin,CN=Users,DC=mydomain,DC=com)(unixHomeDirectory=*))
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_gpo_access_control = permissive
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ad_gpo_map_remote_interactive = +xrdp-sesman
# =====================================
This is part of the sssd log file:
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x0400): service sshd maps to Remote Interactive
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_send]
(0x4000): server_hostname from uri:
pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_connect_done] (0x0400): sam_account_name is ITCOPY$
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is
cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Linux,OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com;
2]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Servers,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[cn={691A69C9-FEF3-4A42-8129-64E8741F9D2C},cn=policies,cn=system,DC=mydomain,DC=com;
1]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): ignored gpo skipped
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no
value; defaults to 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_gplink_list] (0x4000): gplink_list[0]:
[CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com;
0]
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn:
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn:
cn={D49E3752-2ECB-42F6-A418-2AE1F3092929},cn=policies,cn=system,DC=mydomain,DC=com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path:
\\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:
smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /sysvol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 3
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{35378EAC-683F-11D2-A89A-00C04FBBCFA2}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[1] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[2] is
{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): populating attrs for gpo_guid:
{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_extract_smb_components] (0x4000): input_path:
\\mydomain.com\SysVol\mydomain.com\Policies\{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_server:
smb://pdc.mydomain.com
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_share: /SysVol
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): smb_path:
/mydomain.com/Policies/{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_func_version: 2
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_get_gpo_attrs_done] (0x4000): gpo_flags: 0
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): num_gpo_cse_guids: 1
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is
{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): examining dacl
candidate_gpo_guid:{D49E3752-2ECB-42F6-A418-2AE1F3092929}
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_filter_gpos_by_dacl] (0x4000): GPO not applicable to target per
security filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]]
[ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl
filtering
(Fri Jan 23 14:21:23 2015) [sssd[be[mydomain.com]]] [ad_gpo_access_done]
(0x0400): GPO-based access control successful.