Warning: when take ssh or run crontab received below warning.
sssd[be[boobi.com]]:Group Policy Container with DN [cn={EAAB276F-C6C4-457B-A735-653AEAFF0B49},cn=policies,cn=system,DC=boobi,DC=com] is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO.See 'man ad_gpo_ignore_unreadable for details.'
Solution:
The solution was to add “ad_gpo_ignore_unread = True” to domain specified section of sssd.conf then clear the cache and restart the service.
[root@system1 user]# cat /etc/sssd/sssd.conf | grep ad_gpo_ignore_unread
[root@system1 user]# vi /etc/sssd/sssd.conf
[sssd]
domains = boobi.com
config_file_version = 2
services = nss, pam
[domain/boobi.com]
ad_server = ADserver.boobi.com
ad_domain = boobi.com
krb5_realm = BOOBI.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
ad_gpo_ignore_unreadable = True
[root@system1 user]# systemctl stop sssd && rm -f /var/lib/sss/db/* && systemctl start sssd
Now try re-login and check the same
0 Comments