Hi,
what version of SSSD are we talking about and what OS?
Are you sure that the GPOs are linked to the OU or inherited from parent
OU (this can be checked in the Group Policy Management window on AD,
by clicking on the OU in the tree view and then selecting 'Group Policy
Inheritance')?
Please send the whole domain logs and GPO child logs (both located in
/var/log/sssd/) - sanitize the logs if you have confidential info there.
Michal
On 06/06/2017 11:01 AM, François MUTSHE wrote:
> Hi, I've been searching on many forums to solve my issue but no luck, the
GPO's "Allow log on through Remote Desktop Services" and "Deny log on
through Remote Desktop Services" are working well on Windows clients but not on
Linux.
> I created a test OU where i moved my test computer in, allowed a specific user to log
on through Remote Desktop Services, results: anybody can login via ssh on my test
computer.
> In sssd logs we can see that its not applying GPOS to the computer:
>
> [ad_gpo_process_gpo_done] (0x0400): no applicable gpos found after dacl filtering
> (Fri Jun 2 15:52:06 2017) [sssd[be[domain.tld]]] [sysdb_gpo_get_gpo_result_object]
(0x4000): cn=gpos,cn=ad,cn=custom,cn=domain.tld,cn=sysdb
> (Fri Jun 2 15:52:06 2017) [sssd[be[domain.tld]]] [sysdb_gpo_get_gpo_result_object]
(0x4000): No GPO Result object.
> (Fri Jun 2 15:52:06 2017) [sssd[be[domain.tld]]] [ad_gpo_access_done] (0x0400):
GPO-based access control successful.
> (Fri Jun 2 15:52:06 2017) [sssd[be[domain.tld]]] [ad_gpo_access_send] (0x0400):
service systemd-user maps to Permitted
> (Fri Jun 2 15:52:06 2017) [sssd[be[domain.tld]]] [ad_gpo_access_done] (0x0400):
GPO-based access control successful.
>
>
> What am i missing here? All GPOS have authenticated user default rights on it.
>
> I attached my sssd.conf here >
>
> Any help would be much appreciated
>
> Regards, Mush.
>
>