#2750 Failed to read group policy from second domain in forest (Active Directory)
Closed: Invalid None Opened 8 years ago by puthi.

Compute1_Linux join to Active Directory under domain A.DOMAIN.COM and A.DOMAIN.COM is under DOMAIN.COM forest.

  • if a user from domain A.DOMAIN.COM, USER_A, try to login. SSSD can retrieve the group policy and apply it properly.
  • Domain B.DOMAIN.COM is also under DOMAIN.COM forest. And user from B.DOMAIN.COM can authenticate and user resources on computer A.DOMAIN.COM without any problem on windows environment. But when USER_B (under B.DOMAIN.COM) try to login COMPUTER1_LINUX machine, i can see SSSD try to retrieve GPO from the server and can download GPT.INI and GptTmpl.inf fine and fail at processing stat.

I can find the GPO downloaded in /var/lib/sss/gpo_cache/a.domain.com/...

Here I can see in the log:
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
[ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target.
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ad_gpo_access_done] (0x0040): GPO-based access control failed.
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or directory) [Internal Error (System error)


This should be addressed by ticket #2645.
Which is part of release sssd-1.13.0.
The patches are not planed to be back-ported to sssd-1.12 because they are too invasive.

cc: => lslebodn@redhat.com

Oh, I log this issue so that it can be fix in the next release. If it was already addressed, you can close this ticket.

I would prefer if you could confirm it works for you with sssd-1.13.0. (then you can close ticket yourself)

For 1.13.0, I can't confirm it as it always fails to process the GPO no matter which subdomain, logged in ticket #2751.

Please ignore the attachment, as the test was done on version 1.12.2. Sorry about the wrong attachment.

_comment0: For 1.13.0, I can't confirm it as it always fails to process the GPO no matter which subdomain, logged in ticket #2751.

As for the attachment, it's the log from 1.13.1 (master afa6ac7 built) which I can test the GPO, and that's the error i get. => 1439289899157936

We should focus on the 1.13 bug..

resolution: => worksforme
status: new => closed

Metadata Update from @puthi:
- Issue set to the milestone: NEEDS_TRIAGE

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3791

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata