We've recently started receiving a lot of complaints from users about
broadcast messages of the form:
Message from syslogd@hostname at Dec 4 09:08:35 ...
sssd[be[domain.lan]]:Group Policy Container with DN
[cn={66062A26-FA18-4C56-A7E1-B22209856319},cn=policies,cn=system,DC=domain,DC=lan]
is unreadable or has unreadable or missing attributes. In order to fix
this make sure that this AD object has following attributes readable:
nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames,
gPCFunctionalityVersion, flags. Alternatively if you do not have access
to the server or can not change permissions on this object, you can use
option ad_gpo_ignore_unreadable = True which will skip this GPO.See 'man
ad_gpo_ignore_unreadable for details.'
We've reviewed the AD object with that DN and determined that they are
scoped to specific sets of workstations using AD groups, such as "Domain
Laptops". As far as we can tell, this is entirely normal, and there's
no reason to log an error, much less broadcast a message to every open
terminal every time GPOs are processed.
I'm aware of the ad_gpo_ignore_unreadable setting, but the default seems
to be the wrong behavior, and I'd like to suggest changing that.
Show replies by thread