1、SSSD version: sssd-common-1.16.5-10.el7_9.12.x86_64 sssd-ldap-1.16.5-10.el7_9.12.x86_64 sssd-ad-1.16.5-10.el7_9.12.x86_64 sssd-client-1.16.5-10.el7_9.12.x86_64 python-sssdconfig-1.16.5-10.el7_9.12.noarch sssd-krb5-common-1.16.5-10.el7_9.12.x86_64 sssd-ipa-1.16.5-10.el7_9.12.x86_64 sssd-krb5-1.16.5-10.el7_9.12.x86_64 sssd-1.16.5-10.el7_9.12.x86_64 sssd-common-pac-1.16.5-10.el7_9.12.x86_64 sssd-proxy-1.16.5-10.el7_9.12.x86_64 2、 SSSD Configuration [sssd] domains = adtest.zly.com config_file_version = 2 services = nss, pam
[domain/adtest.zly.com] ad_server = adtest.adtest.zly.com ad_domain = adtest.zly.com krb5_realm = ADTEST.ZLY.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = false fallback_homedir = /home/%u access_provider = ad debug_level=9 ad_gpo_access_control=enforcing #ad_gpo_access_control=permissive 3、error log Error in /var/log/secure : Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin Apr 12 15:28:15 wxvmlinux sssd[be[adtest.zly.com]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. Apr 12 15:28:15 wxvmlinux sshd[3784]: Accepted password for njadmin from ::1 port 49040 ssh2 Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_unix(sshd:session): session opened for user njadmin by (uid=0) Apr 12 15:28:24 wxvmlinux sshd[3836]: Received disconnect from ::1 port 49040:11: disconnected by user Apr 12 15:28:24 wxvmlinux sshd[3836]: Disconnected from ::1 port 49040 Apr 12 15:28:24 wxvmlinux sshd[3784]: pam_unix(sshd:session): session closed for user njadmin Apr 12 15:28:40 wxvmlinux polkitd[547]: Registered Authentication Agent for unix-process:3889:296012 (system bus name :1.57 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Apr 12 15:28:41 wxvmlinux polkitd[547]: Unregistered Authentication Agent for unix-process:3889:296012 (system bus name :1.57, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:account): Access denied for user njadmin: 4 (System error) Apr 12 15:28:46 wxvmlinux sshd[3925]: Failed password for njadmin from ::1 port 49084 ssh2 Apr 12 15:28:46 wxvmlinux sshd[3925]: fatal: Access denied for user njadmin by PAM account configuration [preauth]
/var/log/sssd/gpo_child.log (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): gpo_child started. (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): context initialized (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x0400): cached_gpt_version: -1 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_server length: 27 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_server: smb://adtest.adtest.zly.com (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_share length: 7 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_share: /SysVol (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_path length: 63 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_path: /adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319} (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_cse_suffix length: 49 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): performing smb operations (2022-04-12 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://adtest.adtest.zly.com/SysVol/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] (0x4000): smb_buflen: 50 (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x4000): smb_path_with_suffix: /adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com/Policies (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319} (2022-04-12 15:28:54): [gpo_child[3955]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/gpo_cache/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW] (2022-04-12 15:28:54): [gpo_child[3955]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/gpo_cache/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW] (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0400): ini_filename:/var/lib/sss/gpo_cache/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020): ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character] (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020): Error encountered: 84. (2022-04-12 15:28:54): [gpo_child[3955]] [perform_smb_operations] (0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character] (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character]. (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): gpo_child failed! 4、Reproduction method 1) preparation AD: windows server 2012 datacenter, Configure AD Domain server, DNS Service Configure domain: adtest.zly.com Gpo policy: “computer configuration ==> strategy==>windows setting==>security setting==>local stategy==> Allow local login”, configure some user or group who have local login permission Linux client: centos 7.9 or redhat 7.9 realm join adtest.zly.com 2) reproduction Linux client: [root@wxvmlinux sssd]# ssh -l wxadmin localhost wxadmin@localhost's password: Authentication failed.