On (29/07/16 12:53), Schiller Frank wrote:
Hello,
that was it. I can login now with active-directory user. We don't need the GPO on the
Linux-Workstations.
Thank you very much for your support!
It's not a solution it's just a workaround.
But if you do not want to use GPO for access control then
it is a sufficient workaround.
There seems to be some problem with gpo child.
(Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [gpo_cse_done] (0x0020):
ad_gpo_parse_gpo_child_response failed: [22][Das Argument ist ungültig]
(Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_cse_done] (0x0400): gpo_guid:
{31B2F340-016D-11D2-945F-00C04FB984F9}
(Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_cse_done] (0x0040): Unable to
retrieve policy data: [22](Das Argument ist ungültig}
(Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_access_done] (0x0040): GPO-based
access control failed.
(Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100):
Backend returned: (3, 4, Das Argument ist ungültig) [Internal Error]
(Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100):
Sending result [4][MMDE.LOCAL]
(Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100): Sent
result [4][MMDE.LOCAL]
Could you change ad_gpo_access_control back to enforcing (the default)
and provide doman log file together with *_child.log files?
LS