ADsys 组策略对象 - 用户策略未缓存或处理

tag-icon tag-icon 22.04 active-directory sssd
ADsys 组策略对象 - 用户策略未缓存或处理

我有一个 22.04 系统加入到 Active Directory,安装了 ADsys,创建了一些组策略。用户身份验证工作正常,机器/计算机策略正在成功应用。但是,用户策略设置似乎没有缓存或应用于系统。

是否需要额外的配置项来处理用户策略?我尽可能仔细地查看了文档,但找不到任何看起来适用于此处的内容。登录的用户帐户位于 AD OU 中,其中链接了名为“Ubuntu 用户”的 GPO,并且启用了用户设置。

$ adsysctl policy update -av
INFO No configuration file: Config File "adsys" Not Found in "[/var/cache/adsys/policies/U-3GTRXJWRUPDOW /home/testuser /etc /usr/sbin]".
We will only use the defaults, env variables or flags. 
INFO Downloading "assets"                         
INFO Apply policy for U-3GTRXJWRUPDOW (machine: true) 

$ adsysctl policy applied --details
ERROR Error from server: error while displaying applied policies: failed to dump policies for "[email protected]": no policy applied for "[email protected]": can't get cached policies from /var/cache/adsys/policies/[email protected]: open /var/cache/adsys/policies/[email protected]/policies: no such file or directory

$ ls /var/cache/adsys/policies
U-3GTRXJWRUPDOW

$ cat /var/cache/adsys/policies/U-3GTRXJWRUPDOW/policies
gpos:
    - id: '{1F00F6F9-7DDA-400B-96D0-C7CEE5D38A0A}'
      name: Ubuntu-Machine
      rules:
        privilege:
            - key: client-admins
              value: |
                [email protected]
              disabled: false
    - id: '{3C3DF920-9466-4FE9-97D0-7CA3AE9E6B75}'
      name: Ubuntu User
      rules: {}
    - id: '{31B2F340-016D-11D2-945F-00C04FB984F9}'
      name: Default Domain Policy
      rules: {}

$ realm list
ad.testlab.com
  type: kerberos
  realm-name: AD.TESTLAB.COM
  domain-name: ad.testlab.com
  configured: kerberos-member
  server-software: active-directory
  client-software: winbind
  required-package: libnss-winbind
  required-package: winbind
  required-package: libpam-winbind
  required-package: samba-common-bin
  login-formats: AD\%U
  login-policy: allow-any-login
ad.testlab.com
  type: kerberos
  realm-name: AD.TESTLAB.COM
  domain-name: ad.testlab.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U
  login-policy: allow-realm-logins

$ sudo cat /etc/sssd/sssd.conf
[sssd]
domains = ad.testlab.com
services = nss, pam
default_domain_suffix = ad.testlab.com
full_name_format = %1$s

[domain/ad.testlab.com]
ad_enabled_domains = ad.testlab.com
fallback_homedir = /home/%u
default_shell = /bin/bash
id_provider = ad
auth_provider = ad
access_provider = ad
ad_gpo_map_remote_interactive = +dcv, +dcv-graphical-sso
ad_gpo_ignore_unreadable = true
cache_credentials = true
ignore_group_members = true
subdomain_inherit = ignore_group_members
krb5_store_password_if_offline = true
ad_gpo_access_control = disabled

相关内容