We see the following in /var/log/messages every 30 seconds:
"_create_rule_from_local_file: Access control update failed. Cannot resolve access control group INTERNAL.DOMAIN.COM\Linux-host01.internal.domain.com. Error 2. Group lookup will be attempted again in 30 seconds.
Nov 29 12:56:17 host01 vasd: You may want remove group INTERNAL.DOMAIN.COM\Linux-host01.internal.domain.com from your access file, it appears to be missing from the directory."
If you're using the HOSTNAME variable to form a group name in a Group Policy Object (GPO), E.g.: 'host01' is the hostname, 'Linux-host01' is the groupname in Active Directory, we can handle that. If the hostname was entered as the fully qualified, i.e., Linux-host01.internal.domain.com, then the group will appear that way in the users.allow file.
So the issue becomes how to handle the hostname variable depending on how it's entered. Your GPO will need to be edited accordingly or the hostname changed on the hosts you're deploying to.