+++ This bug was initially created as a clone of Bug #1203642 +++
This bug is created as a clone of upstream ticket:
The GPO access control code receives the user's domain as input and uses it to look up the computer object. That doesn't work if the user is from a subdomain, because we'd miss the computer object.
We need to look up the computer object in the domain we're enrolled with. We can use the GPO connection here, maybe, my initial testing shows that the attributes we're interested with are replicated to GC.
We also need to test with a computer enrolled with a child domain and login with user from parent domain to make sure the GPOs applied to the parent domain or OU are found correctly. Again, GC might be helpful here.
This has been verified against sssd-ad-1.12.4-42.el6.x86_64
Last login: Thu Jun 11 08:55:37 2015 from daredevil.lab.runlevelone.lan
Could not chdir to home directory /home/example.com/administrator: No such file or directory
Connection to 192.168.77.99 closed.
Last login: Thu Jun 11 08:52:23 2015 from daredevil.lab.runlevelone.lan
Could not chdir to home directory /home/subdomain.example.com/administrator: No such file or directory
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.