Comment 4 for bug 1934997

I just got hit by this. While 'ad_gpo_access_control = permissive' lets users log in again, it is not ideal.

It appears that Samba AD does not create GptTmpl.inf except for policies which actually set something in "Security Settings". Hence a policy with nothing no security settings will not have the file, which will lead SSSD to get "file not found" when trying to download it and fail PAM auth.

I don't know if Samba is in the wrong here, but anyway treating GptTmpl.inf not found as "no security settings" seems like a reasonable approach.

Anyway, a deb-changelog warning for this kind of change in a minor-minor release would have been most welcome.