Group Policiy Container is unreadable or

Support
, ,
1

NethServer Version: 7.9.2009 (final)
Module: sssd

Greetings

I think this message is from the last samba/sssd update last week.

Is it something serious?
How to fix it (how to make those attributes readable)?

I am out of the office, so tomorrow monday I will start to investigate the problem… in the meantime I will reboot this server in the afternoon, hopefully the old reboot recipe works.

image
image1443×260 68.9 KB

Regards

Server restarted, everything seems to be going well; so I’ll keep an eye on it and leave this thread open for a few days in case there is something additional.
:clock11:

2

Today after updating my Proxmox servers, in the NethServer’s terminal I see that this warning has been there for a while and yesterday another one popped up.

I tried that command (man ad_gpo_ignore_unreadable) for more help and there is no such entry in the manual.

Any advice or tips to correct this is highly appreciated, thanks in advance.

image
image1335×832 169 KB

Regards

3

And today another one.
I’m not trying to hammer on this post, but I’m already getting worried.

image
image1287×93 4.79 KB

I don’t know if this information can be helpful:

image
image450×531 6.5 KB

Any thoughs @Andy_Wismer @mrmarkuz :pray:t3:

4

Maybe a config restore of samba?

My 2 cents
Andy

5

I could be mistaken but from powershell you can try to identify the GPO you are having the problem with, then manage with RSAT:

Get-GPO -Guid 4238D218-9575-4AB4-B407-68C71366834F -Domain "avion.lan"

The other option about ignoring the GPO (if it really isn’t applicable):

ad_gpo_ignore_unreadable was added. This option, which defaults to false, can be used to ignore group policy containers in AD with unreadable or missing attributes. This is for the case when server contains GPOs that have very strict permissions on their attributes in AD but are unrelated to access control (#3867)

ad_gpo_ignore_unreadable (boolean)

Normally when some group policy containers (AD object) of applicable group policy objects are not readable by SSSD then users are denied access. This option allows to ignore group policy containers and with them associated policies if their attributes in group policy containers are not readable for SSSD.

Default: False

it is supposed to go in the corresponding domain section of sssd.conf

https://www.pagure.io/SSSD/sssd/issue/4133#comment-625772
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/WGM7Q3TGUR7T3XIGDJNKDMMJGBPU23YD/
Info available to RedHat Subscribers: SSSD reports: Group Policy Container is unreadable or has unreadable or missing attributes - Red Hat Customer Portal

2 Likes
6

Thank you @dnutan @Andy_Wismer

I research a little more and found…

About that GPO message

  • Every time Proxmox does a backup of the NS/AD server that message occurs (each hour *1)
    image
    Then, running in PS the command I see this GPO that I don’t remember that I use (ever) Hotspot off:
    image
    image710×227 7.24 KB

    The information in the links gives me a little more peace of mind:

…no need to worry, this is a non-critical error and can easily be fixed. Reason that is happening is that your AD contains a GPO which has not been fully configured for SSSD to be able to read.

First, try to resolve the error from within Active Directory by checking the listed GPO contains the following readable attributes: …

Thank you!

Updates:
*1) It seems that it was a coincidence about the backups; checking the schedule, the backups are done every 2 hours and not every hour. :thinking: After the restart, the message did not come out; but it happened before and later resurfaced, it is just a matter of waiting.

2) The message still appears, so I added the configuration option ad_gpo_ignore_unreadable = True in /etc/sssd/sssd.conf after backing it up; I’ll restart the server tonight and I’ll keep an eye on it for a few days. I dont dare to delete the cache as the post indicates: systemctl stop sssd && rm -f /var/lib/sss/db* && systemctl start sssd` :face_with_peeking_eye:

(Not related, I hope) Another 2 problems that I detected while reviewing the above

I think that this need to be another post; I leave here for now just to extract the info later.

A. From a terminal I ran the commands

  • systemctl status
● ads.avion.lan
    State: degraded
     Jobs: 1 queued
   Failed: 1 units
    Since: Mon 2023-07-24 08:10:01 MST; 1 weeks 1 days ago
  • systemctl --failed
    And I found that an error (degraded); about OpenVPN which I am not using
    image
    image896×166 3.34 KB

    And it still shows as degraded after a restart.
    image
    I already checked and I don’t have this service installed or activated; I don’t understand why it shows it as Loaded.

B. Zabbix server not running, I started seeing this message about a week ago, which I ignored because of other problems;

image

I tried to start it manually from the services without success.

For now I disabled “zabbix-agent” and “zabbix-server”; “zabbix-agent2” was disabled

image
image1121×171 11.1 KB

I suspect I inadvertently damaged Zabbix by trying to update it (without understanding the correct process to do it).

Will it be possible to correct Zabbix without losing everything configured?

Maybe it’s time to restore a backup from about 2 or 3 weeks ago to see if the problem persists, I already protected the backups from a month ago in Proxmox Backup Server, to have a chance to restore them.
image

Regards

3 Likes
7

Greetings

Just a last update.

I checked all my backups and as @Andy_Wismer suggests; I made a new one and restored the one from 07/2023/07/23 9:30 p.m.

And to my pleasant surprise Zabbix is working again! (? *1)

Now, I only have to re-join those PCs that were installed in this period of time.

*1) Zabbix It is working but does not seem to be receiving information from the equipments.

Regards