我有一个 22.04 系统加入到 Active Directory,安装了 ADsys,创建了一些组策略。用户身份验证工作正常,机器/计算机策略正在成功应用。但是,用户策略设置似乎没有缓存或应用于系统。
是否需要额外的配置项来处理用户策略?我尽可能仔细地查看了文档,但找不到任何看起来适用于此处的内容。登录的用户帐户位于 AD OU 中,其中链接了名为“Ubuntu 用户”的 GPO,并且启用了用户设置。
$ adsysctl policy update -av
INFO No configuration file: Config File "adsys" Not Found in "[/var/cache/adsys/policies/U-3GTRXJWRUPDOW /home/testuser /etc /usr/sbin]".
We will only use the defaults, env variables or flags.
INFO Downloading "assets"
INFO Apply policy for U-3GTRXJWRUPDOW (machine: true)
$ adsysctl policy applied --details
ERROR Error from server: error while displaying applied policies: failed to dump policies for "[email protected]": no policy applied for "[email protected]": can't get cached policies from /var/cache/adsys/policies/[email protected]: open /var/cache/adsys/policies/[email protected]/policies: no such file or directory
$ ls /var/cache/adsys/policies
U-3GTRXJWRUPDOW
$ cat /var/cache/adsys/policies/U-3GTRXJWRUPDOW/policies
gpos:
- id: '{1F00F6F9-7DDA-400B-96D0-C7CEE5D38A0A}'
name: Ubuntu-Machine
rules:
privilege:
- key: client-admins
value: |
[email protected]
disabled: false
- id: '{3C3DF920-9466-4FE9-97D0-7CA3AE9E6B75}'
name: Ubuntu User
rules: {}
- id: '{31B2F340-016D-11D2-945F-00C04FB984F9}'
name: Default Domain Policy
rules: {}
$ realm list
ad.testlab.com
type: kerberos
realm-name: AD.TESTLAB.COM
domain-name: ad.testlab.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: libnss-winbind
required-package: winbind
required-package: libpam-winbind
required-package: samba-common-bin
login-formats: AD\%U
login-policy: allow-any-login
ad.testlab.com
type: kerberos
realm-name: AD.TESTLAB.COM
domain-name: ad.testlab.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
$ sudo cat /etc/sssd/sssd.conf
[sssd]
domains = ad.testlab.com
services = nss, pam
default_domain_suffix = ad.testlab.com
full_name_format = %1$s
[domain/ad.testlab.com]
ad_enabled_domains = ad.testlab.com
fallback_homedir = /home/%u
default_shell = /bin/bash
id_provider = ad
auth_provider = ad
access_provider = ad
ad_gpo_map_remote_interactive = +dcv, +dcv-graphical-sso
ad_gpo_ignore_unreadable = true
cache_credentials = true
ignore_group_members = true
subdomain_inherit = ignore_group_members
krb5_store_password_if_offline = true
ad_gpo_access_control = disabled