So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA domain. I cloned them, renamed them, new IP's etc, and uninstalled the IPA client successfully.
I then joined them to our AD domain using realm join like I have other machines. I matched settings in sssd.conf and nsswitch.conf and I can kinit and id users without any issues.
My problem is that nobody can log into using their AD credentials because access is based on GPO and for some reason this server isn't able to get the GPO:
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_connect_done] (0x4000): server_hostname from uri: la-2pdom02.internal.ieeeglobalspec.com (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$ (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain info (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such file or directory) (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
Server is in an OU that is covered by my access policy GPO. GP Modeling shows that the correct policy would apply.
I'm stumped.
Thanks!
Max
On (23/02/17 14:23), Max DiOrio wrote:
So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA domain. I cloned them, renamed them, new IP's etc, and uninstalled the IPA client successfully.
I then joined them to our AD domain using realm join like I have other machines. I matched settings in sssd.conf and nsswitch.conf and I can kinit and id users without any issues.
My problem is that nobody can log into using their AD credentials because access is based on GPO and for some reason this server isn't able to get the GPO:
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_connect_done] (0x4000): server_hostname from uri: la-2pdom02.internal.ieeeglobalspec.com (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$ (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain info (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such file or directory) (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
Server is in an OU that is covered by my access policy GPO. GP Modeling shows that the correct policy would apply.
Could you provide log fils with higher debug level(7 should be enough)? Please provide domain log file and gpo_child.log
LS
On 02/24/2017 12:44 PM, Lukas Slebodnik wrote:
On (23/02/17 14:23), Max DiOrio wrote:
So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA domain. I cloned them, renamed them, new IP's etc, and uninstalled the IPA client successfully.
I then joined them to our AD domain using realm join like I have other machines. I matched settings in sssd.conf and nsswitch.conf and I can kinit and id users without any issues.
My problem is that nobody can log into using their AD credentials because access is based on GPO and for some reason this server isn't able to get the GPO:
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_connect_done] (0x4000): server_hostname from uri: la-2pdom02.internal.ieeeglobalspec.com (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$ (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain info (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such file or directory) (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
Server is in an OU that is covered by my access policy GPO. GP Modeling shows that the correct policy would apply.
Could you provide log fils with higher debug level(7 should be enough)?
Level 9 would be better.
Thanks
Please provide domain log file and gpo_child.log
LS
Well it seems that after letting the machines sit all night, that I was able to log in fine this morning. On one machine SUDO is working fine, the other it's not. Had to restart sssd on the non-working one and everything is back to normal.
gpo_child.log absolutely wouldn't populate yesterday after I joined to the domain and the gpo_cache was empty until this morning.
On Fri, Feb 24, 2017 at 6:49 AM, Michal Židek mzidek@redhat.com wrote:
On 02/24/2017 12:44 PM, Lukas Slebodnik wrote:
On (23/02/17 14:23), Max DiOrio wrote:
So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA domain. I cloned them, renamed them, new IP's etc, and uninstalled the IPA client successfully.
I then joined them to our AD domain using realm join like I have other machines. I matched settings in sssd.conf and nsswitch.conf and I can kinit and id users without any issues.
My problem is that nobody can log into using their AD credentials because access is based on GPO and for some reason this server isn't able to get the GPO:
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_connect_done] (0x4000): server_hostname from uri: la-2pdom02.internal.ieeeglobalspec.com (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$ (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain info (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such file or directory) (Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
Server is in an OU that is covered by my access policy GPO. GP Modeling shows that the correct policy would apply.
Could you provide log fils with higher debug level(7 should be enough)?
Level 9 would be better.
Thanks
Please provide domain log file and gpo_child.log
LS
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Lukas Slebodnik -
Max DiOrio -
Michal Židek