Attached are the logs. It seems that even after removing the GPO’s, it is still being
blocked from logging in.
May 29 12:17:24 la-1potpap01 sshd: pam_sss(sshd:auth): authentication success;
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.85.144.87 user=a-mdiorio
May 29 12:17:25 la-1potpap01 sshd: pam_sss(sshd:account): Access denied for user
a-mdiorio: 4 (System error)
May 29 12:17:25 la-1potpap01 sshd: Failed password for a-mdiorio from 10.85.144.87
port 60267 ssh2
May 29 12:17:25 la-1potpap01 sshd: fatal: Access denied for user a-mdiorio by PAM
account configuration [preauth]
On May 28, 2018, at 6:49 AM, Michal Židek <mzidek(a)redhat.com>
From your description the setup should work. Can you send full (sanitized) logs? Mostly
the domain and gpo_child logs are interesting
here, but for simplicity you can send all logs:
- stop sssd
- remove cached files in:
rm -r /var/lib/sss/gpo_cache/*
rm -r /var/lib/sss/db/*
- set debug_level in domain section in /etc/sssd/sssd.conf to 10
- reproduce issue
- send logs from /var/log/sssd/
- if you remove the single computer policy, does the "generic" policy
apply as expected to the affected computer in question?
On 05/25/2018 08:58 PM, Max DiOrio wrote:
> So it seems that I’m having an issue with GPO processing. I have an OU
(Servers/Infrastructure) that contains a few servers. In this OU, I have a few GPO’s
> Once is “generic” that should applied to every server in this OU - which allows
Remote Interactive Login and Logon Locally to Domain Admins.
> I also have a GPO that applies to a specific server in this out that grants access to
a service account to log on to terminal services and log on as a service. For this GPO, I
have a security filter to the specific computer object it is supposed to apply to - and I
think this is the root of my issue.
> The GPOs are listed
> 1) Infrastructure servers Access Control (that should apply to them all)
> 2) Single Computer policy for service account
> When looking at the sssd_domain logs, I can see that it’s processing both GPO’s, but
only adding the account from policy 2 to the ad_gpo_access_check, meaning domain admins
can’t log in to either server, only the service account can to both of them.
> So we have multiple issues:
> 1) It’s not combining the GPO access policies, but only taking the last one found
> 2) It’s not abiding by the Security Filtering on the GPO
> So in my case - how would I go about making this work? Would I need a separate GPO
for each server I want to apply individual rights to and explicitly include the domain
admins group in it, then using delegation allow the single computer read and deny read of
every other computer?
> Seems like this also means you can’t do GPO inheritance if it only takes the last
found GPO and ignores the settings configured in previous GPO’s it checked.
> Any ideas?
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines