Hello, I noticed some of our users having linux authentication issues recently. Upon further digging it happened when a GPO was applied to the same OU these linux servers belonged to. The debug logs said there was an error due to a missing equal sign. I tracked down the policy and looked at the ini file and instantly noticed it differed from the normal format.
*Many of our GPOs are in the format of:* [section] key=value *But this one was like:* saltminion",2,"D:AR(A;;CCLCSWLOCRRC;;;AU(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LA)(A;;CCLCSWL The result was that access was denied to the user logging into the server. *Questions:* 1.) Should SSSD be able to parse GPOs using the template of Microsofts SDDL (Security Descriptor Definition Language) <https://msdn.microsoft.com/en-us/library/windows/desktop/aa379567(v=vs.85).aspx> ? 2.) What options are available to restore access besides removing the GPO from the OU, or setting ad_gpo_access_control to disabled or permissive? Thanks! --Dan -- *Daniel Bryan* DevOps Engineer | Stratus Solutions dbr...@stratussolutions.com www.stratussolutions.com
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
