Troubleshoot AD Bridge group policy | AD Bridge
Learn how to troubleshoot the AD Bridge Group Policy Objects and the Group Policy agent.
Autoenrollment GPO
First set the log level of autoenrollment to debug:
/opt/pbis/bin/lwsm set-log-level -p autoenroll - debug
Then check the system logs for autoenroll errors. This will also generate additional logs in /tmp/pbis-curl.log
Errors with sending a request to the Certificate Enrollment Service (CES) are stored in the /tmp/pbis-crl.log log file.
| Common Issues | Potential Resolution |
|---|---|
| SSL: Certificate subject name test-DC1-CA does not match target host name dc1.test.com | Correct the IIS certificate to match the URL of the hosting machine. |
Wifi GPO
| Common Issues | Potential Resolution |
|---|---|
| Wifi GPO certificate not downloading | The certificate template field is case sensitive. Verify the template name is correct. Best practice is to copy the certificate name into the certificate template field. |
Force AD Bridge Group Policy objects to update
The AD Bridge Group Policy agent, a component of AD Bridge, connects to Active Directory, retrieves changes to Group Policy Objects (GPOs), and applies the changes once every 30 minutes, when a computer boots or restarts, or when requested by the AD Bridge GPO update tool.
You can run the AD Bridge GPO update tool at any time on a Linux or Unix computer joined to a domain with the AD Bridge agent.
Run the following command at the shell prompt:
/opt/pbis/bin/gpupdate --verbose
The command returns a success or failure result similar to one of the following:
GPO Update succeeded
GPO Update was unsuccessful, error code <code> (<error message>)
On target computers, AD Bridge stores its GPOs in /var/lib/pbis/grouppolicy.
Check the status of the AD Bridge Group Policy daemon
You can check the status of the AD Bridge Group Policy daemon on a AD Bridge client computer that is running Unix or Linux by running the following command as the root user:
/opt/pbis/bin/lwsm status gpagent
Restart the AD Bridge Group Policy daemon
You can restart the AD Bridge Group Policy daemon on a computer that is running Unix or Linux by executing the following command as root:
/opt/pbis/bin/lwsm restart gpagent
Generate an AD Bridge Group Policy agent debug log
You can generate an AD Bridge Group Policy agent debug log on a Unix or Linux computer running the AD Bridge agent.
-
Log on as root user.
-
Stop the Group Policy daemon by executing the following command at the shell prompt:
/opt/pbis/bin/lwsm stop gpagent -
Start the Group Policy daemon in command-line debug mode and capture the output in a file with these two commands:
/opt/pbis/sbin/lwsmd --loglevel debug --logfile /var/log/gpagentd.log --container gpagent &/opt/pbis/bin/lwsm start gpagent -
When you are done logging the information and debugging the service, use the kill command to stop the service, which returns the log level to its default setting.
-
Start the Group Policy daemon with the AD Bridge service manager:
/opt/pbis/bin/lwsm start gpagent
Modify or inspect GPOs from the gp-admin command
The gp-admin command-line utility lets you modify the settings in a Group Policy Object (GPO) in Active Directory from a Linux or Unix computer. For example, you can use the tool to specify a GPO, download a policy setting in the GPO from Active Directory to a Unix folder, modify it, and then upload it to Active Directory.
You run the tool as root. It is located at /opt/pbis/bin/gp-admin.
To view the tool's arguments, run the following command:
/opt/pbis/bin/gp-admin --help
Here's what the help looks like:
Usage: gp-admin --list --gpolicy <Group Policy setting>
--help | -h Show help
--listgpcses | -lgp List all the Group Policy extensions
--listall | -la List all the enabled policy settings in all the GPOs
--list | -l List the GPOs where the specified policy setting is configured
--download | -d Download the specified Group Policy setting to the specified path
--upload | -u Upload the specified Group Policy setting from the specified path
--gpolicy | -gp Specify the desired Group Policy setting
This should be set with the option '-l' '-d' or '-u'
--gpobject | -gpo Specify the desired Group Policy Object from which policy setting
to be downloaded or uploaded. This should be set only with
the option '-d' or '-u'
--path | -p Specify the desired path to download or upload policy settings
from or to AD. This should be set only with the option '-d' or '-u'.
Please provide the directory path where GPT.INI is present
Example
gp-admin -lgpgp-admin -lagp-admin -l -gp <ID>gp-admin -d -gp <ID> -gpo <gpo name> -p <path>
Here's an example of how you can use gp-admin as root to inspect and modify a GPO:
- List all the GPOs applied to the computer by name and policy identifier:
/opt/pbis/bin/gp-admin -la
Here is an example of an abbreviated list:
[root@rhel5d bin]# ./gp-admin -la
AD Bridge Syslog GP Extension is enabled in the GPO's
GPO name:AD Bridge settings for test PolicyIdentifier: {46c77e22-bb04-4dec-a788-8cf3a30ebeb7}
GPO name:AD Bridge settings for apps PolicyIdentifier: {c2152211-e134-4eb1-a53a-b90378d7f056}
AD Bridge Settings GP Extension is enabled in the GPO's
GPO name:Default Domain Policy PolicyIdentifier: {31B2F340-016D-11D2-945F-00C04FB984F9}
GPO name:Engineering ACL Policy 1.0 PolicyIdentifier: {33E3DE4C-02DF-4CEE-8785-1F43FB750AFB}
...
AD Bridge Automount GP Extension is enabled in the GPO's
GPO name:LinuxServers AutoFS 1.0 PolicyIdentifier: {2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654}
...
- Check the GPO extension's ID, which should be the same across different platforms:
/opt/pbis/bin/gp-admin --lgp
[root@rhel5d bin]# /opt/pbis/bin/gp-admin -lgp
Computer Policy Settings
ID = 1 AD Bridge SeLinux GP Extension {0BCE95E2-5332-49dc-9878-D3F8B678734B}
ID = 2 AD Bridge Syslog GP Extension {0D18828D-E7DA-434c-A537-8AF8122E2602}
ID = 3 AD Bridge Settings GP Extension {0EED766B-2404-46A6-A6B6-F8971164A920}
ID = 4 AD Bridge Sudo GP Extension {20D139DE-D892-419f-96E5-0C3A997CB9C4}
ID = 5 AD Bridge Fstab GP Extension {36C20771-2724-4ee3-B1B0-36A396CDA5E3}
ID = 6 AD Bridge Apparmor GP Extension {5554B0EB-ABE5-4654-A123-3B7818B2A48A}
ID = 7 AD Bridge Computer Network Settings {5FB45FF0-A68C-430b-8C6E-347B14AEB975}
ID = 9 AD Bridge Login Prompt GP Extension {9020E541-F49C-4ab8-88F3-55BE2D95B440}
ID = 10 AD Bridge Automount GP Extension {9994B0EB-ABE5-4654-A123-3B7818B2A999}
ID = 11 AD Bridge Message of the Day GP Extension {9A9F29C0-B1B1-467d-A255-0BD3D7AAAE59}
ID = 12 AD Bridge Files GP Extension {AE472D6F-0615-4d12-BC70-8A381CA67D53}
ID = 13 AD Bridge Computer Gconf GP Extension {B078EE20-01A1-4FEE-8DCC-032B758FA1F8}
ID = 14 AD Bridge LogRotate GP Extension{B1BBA22A-08FF-4826-9B4B-151C8A0BC1CA}
ID = 15 AD Bridge Cron GP Extension {B9CA8919-71D7-4aaa-9567-7225965F4A0E}
ID = 16 AD Bridge Script GP Extension {DDFF8E72-5C29-4987-8FB3-DF7EB7CE8FC2}
User Policy Settings
ID = 8 AD Bridge User Gconf GP Extension {74533AFA-5A94-4fa5-9F88-B78667C1C0B5}
ID = 17 AD Bridge User Files GP Extension {E62C4C67-D187-4b89-8EEC-A8A2570390BF}
- You can then use the ID to locate the GPOs that apply a setting. The following example uses the ID for the automount policy setting (10) to list the GPOs that are applying the automount extension:
[root@rhel5d bin]# ./gp-admin --list -gp 10
AD Bridge Automount GP Extension enabled in the below mentioned GPO's
GPO name:LinuxServers AutoFS 1.0 PolicyIdentifier: {2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654}
- You can use the ID and the GPO name to download the latest version of a GPO that contains the automount setting:
./gp-admin -d -gp 10 -GPO "LinuxServers AutoFS 1.0" -p /var/lib/pbis/grouppolicy
The result of the command is as follows:
[root@rhel5d bin]# ./gp-admin -d -gp 10 -GPO "LinuxServers AutoFS 1.0" -p /var/lib/pbis/grouppolicy
Downloading policy data for setting:
(AD Bridge Automount GP Extension) in GPO: (LinuxServers AutoFS 1.0)
to path: (/var/lib/pbis/grouppolicy)
Copying policy data from location:
\\demo.com\SysVol\demo.com\Policies\{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654}
Downloaded AD Bridge Automount GP Extension to /var/lib/pbis/grouppolicy/{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654} folder
- You can now change directories to the folder that contains the GPO and view it:
[root@rhel5d bin]# ls /var/lib/pbis/grouppolicy/
{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654} GPT.INI krb5cc_gpagentd systemfiles
[root@rhel5d bin]# ls /var/lib/pbis/grouppolicy/\{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654\}/
{9994B0EB-ABE5-4654-A123-3B7818B2A999}
[root@rhel5d bin]# cd /var/lib/pbis/grouppolicy/\{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654\}/
[root@rhel5d {2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654}]# cd \{9994B0EB-ABE5-4654-A123-3B7818B2A999\}/
[root@rhel5d {9994B0EB-ABE5-4654-A123-3B7818B2A999}]# ls
auto.home auto_master lwisettings.xml
[root@rhel5d {9994B0EB-ABE5-4654-A123-3B7818B2A999}]# cat lwisettings.xml
<LWIMachinePolicy> <GPItem clientGUID="{9994B0EB-ABE5-4654-A123-3B7818B2A999}"
itemGUID="{12587328-5C0D-46bd-BE9B-BF264F6CA720}" name="AutoMount settings" Version="2.0"> <autoMount>
- You can also view the files referenced by the automount policy setting.
- In the preceding example, the value of the Executable attribute for the auto_master file should be set to no, not yes. You can open the file in an editor, make the change, and then upload the modified file to Active Directory:
/opt/pbis/bin/gp-admin -u -gp 10 -GPO "LinuxServers AutoFS 1.0" -p /var/lib/pbis/grouppolicy/ \{2A84EEE7-47E9-4C80-9FC9-0F6CBFB36654\}/ \{9994B0EB-ABE5-4654-A123-3B7818B2A999\}/lwisettings.xml
For more information, see Troubleshoot user rights with Ldp.exe and Group Policy modeling.
Updated 9 days ago
