So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA
domain. I cloned them, renamed them, new IP's etc, and uninstalled the IPA
client successfully.
I then joined them to our AD domain using realm join like I have other
machines. I matched settings in sssd.conf and nsswitch.conf and I can
kinit and id users without any issues.
My problem is that nobody can log into using their AD credentials because
access is based on GPO and for some reason this server isn't able to get
the GPO:
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_connect_done] (0x4000): server_hostname from uri:
la-2pdom02.internal.ieeeglobalspec.com
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain
info
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such
file or directory)
(Thu Feb 23 14:15:23 2017) [sssd[be[internal.ieeeglobalspec.com]]]
[ad_gpo_access_done] (0x0040): GPO-based access control failed.
Server is in an OU that is covered by my access policy GPO. GP Modeling
shows that the correct policy would apply.
I'm stumped.
Thanks!
Max