AD users are unable to login due to the GPO policy

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • sssd
  • Active Directory

Issue

  • AD users unable to login to the RHEL system showing a warning
"Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode"
  • AD users unable to login to RHEL system showing error
(Tue Jul 14 20:24:06 2020) [sssd[be[example.com]]] [ad_gpo_perform_hbac_processing] (0x0040): GPO access check failed: [1432158235](Host Access Denied)
  • AD users unable to login to RHEL system showing error
(Sat Aug 28 01:37:08 2022) [sssd[be[example.com]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.

Resolution

  • To isolate this issue add following option under [domain/..] section of sssd.conf:
ad_gpo_access_control = disabled
  • Flush sssd cache and restart the service.
systemctl stop sssd ; rm -rf /var/lib/sss/{db,mc}/* ; systemctl start sssd

  • Try to login, if user login works then you can use the above option as a workaround.

  • For a permanent solution evaluate GPO rule in Active Directory and make appropriate changes to allow user login and then you can remove ad_gpo_access_control = disabled from sssd.conf

  • Note: disabled - GPO-based access control rules are neither evaluated nor enforced.

Root Cause

  • The AD user login is failing due to the GPO policy.

Diagnostic Steps

  • Check SSSD configuration:
$ cat etc/sssd/sssd.conf | grep access
access_provider = ad
ad_access_filter = memberOf=CN=newusers,OU=it,DC=example,DC=com
  • Check sssd debug logs.

1. sssd_$domain.log:

(Sat Dec 28 01:37:08 2019) [sssd[be[example.com]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]   <-----
(Sat Dec 28 01:37:08 2019) [sssd[be[example.com]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Invalid argument}
(Sat Dec 28 01:37:08 2019) [sssd[be[example.com]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Sat Dec 28 01:37:08 2019) [sssd[be[example.com]]] [ad_gpo_access_done] (0x0040): Ignoring error: [22](Invalid argument); GPO-based access control failed, but GPO is not in enforcing mode.
(Sat Dec 28 01:37:08 2019) [sssd[be[example.com]]] [child_sig_handler] (0x0020): waitpid did not found a child with changed status.
(Sat Dec 28 01:37:08 2019) [sssd[be[example.com]]] [child_sig_handler] (0x0020): child [39612] failed with status [1].

2. gpo_child.log:

(Sat Dec 28 01:37:08 2019) [[sssd[gpo_child[39612]]]] [copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed [110][Connection timed out]
(Sat Dec 28 01:37:08 2019) [[sssd[gpo_child[39612]]]] [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed [110][Connection timed out]
(Sat Dec 28 01:37:08 2019) [[sssd[gpo_child[39612]]]] [main] (0x0020): perform_smb_operations failed.[110][Connection timed out].   <-----
(Sat Dec 28 01:37:08 2019) [[sssd[gpo_child[39612]]]] [main] (0x0020): gpo_child failed!

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments