This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

wbinfo doesn't shows member users of a group any more

Hello, we are facing a really weird problem.

Sophos dont display group from a user in http.log

2017:08:22-09:31:30 vpn httpproxy[25653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.16.28.25" dstip="216.58.202.194" user="fabio.lima" group="" ad_domain="BY7" statuscode="204" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)"

We already do alot of things, like, re-join domain, exclude user, re-join with another user, update sophos to latest version(9.503-3), but nothing work.

We also have an ticket with Sophos support, open for like 4 weaks, and it be escalonate now for GES team.

We got debug this, its seens to be a problem with winbind.

In user prefetch, sophos find the user, but dont put they on winbind.

2017:08:28-00:00:02 vpn user_prefetch[2124]: <=========================================================================
2017:08:28-00:00:02 vpn user_prefetch[2124]: Retrieving server configuration
2017:08:28-00:00:02 vpn user_prefetch[2124]: -> using internal configuration from Confd
2017:08:28-00:00:03 vpn user_prefetch[2124]: Using contexts from confd object
2017:08:28-00:00:03 vpn user_prefetch[2124]: ldap server:
2017:08:28-00:00:03 vpn user_prefetch[2124]: server: 192.168.25.225
2017:08:28-00:00:03 vpn user_prefetch[2124]: port: 389
2017:08:28-00:00:03 vpn user_prefetch[2124]: ssl: 0
2017:08:28-00:00:03 vpn user_prefetch[2124]: bind_dn: CN=sophos.ad,CN=Users,DC=by7,DC=corp
2017:08:28-00:00:03 vpn user_prefetch[2124]: update: 1
2017:08:28-00:00:03 vpn user_prefetch[2124]: contexts:
2017:08:28-00:00:03 vpn user_prefetch[2124]: CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp

2017:08:28-11:56:28 vpn user_prefetch[26198]: Context 'CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp' is a group. Adding group members:

2017:08:28-11:56:28 vpn user_prefetch[26198]: searching 'CN=Fabio de Lima,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp'

And as we can see below, this command dont show users.

wbinfo --group-info="internet_moderado"

internet_moderado:x:15000:

Expected:

wbinfo --group-info="internet_moderado"

internet_moderado:x:15000:user1,user2,user3,user4

This thread was automatically locked due to age.

Parents

0 GregH over 8 years ago

Hi

Within AD Users and Computers, does the Authenticated Users group have Read rights on your user objects?

By default this will be inherited, due to Authenticated Users being a member of Pre-Windows 2000 Compatible Access group (within the Built-In OU)

Greg
Cancel
Vote Up 0 Vote Down

Cancel
0 Rafael Scoz over 8 years ago in reply to GregH

Hello Greg, thanks for your answer.

We currently using windows server 2012R2

the user who joins the domain in UTM, is domain admin.

I thinks this privileges is right
Cancel
Vote Up 0 Vote Down

Cancel
0 DouglasFoster over 8 years ago in reply to Rafael Scoz

Do the grouo memberships display when you test a username and password on the Authentication Server object?

I note that in my web log, I have never seen group data.

Are you doing active directory membership synchronization, or just doing loojups as needed? What firmware version? I don't know how that information will matter, but others might.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DouglasFoster over 8 years ago in reply to Rafael Scoz

Do the grouo memberships display when you test a username and password on the Authentication Server object?

I note that in my web log, I have never seen group data.

Are you doing active directory membership synchronization, or just doing loojups as needed? What firmware version? I don't know how that information will matter, but others might.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Rafael Scoz over 8 years ago in reply to DouglasFoster

Yes...

Look:

I think the problem is clearly winbind group.

ldap search is ok, when we do a prefetch, its all fine.

2017:08:30-00:00:04 vpn user_prefetch[21279]: CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
2017:08:30-00:00:05 vpn user_prefetch[21279]: Context 'CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp' is a group. Adding group members:
2017:08:30-00:00:05 vpn user_prefetch[21279]: CN=Rafael Scoz,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp
2017:08:30-00:00:07 vpn user_prefetch[21279]: searching 'CN=Rafael Scoz,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp'

Performing the search, its also ok.

vpn:/root # wbinfo --user-domgroups=$(wbinfo --name-to-sid=by7+rafael.scoz)| while read i; do echo $i;wbinfo --sid-to-name $i;done
S-1-5-21-1686797113-2710922250-770954689-2487
BY7+rafael.scoz 1
S-1-5-21-1686797113-2710922250-770954689-513
BY7+Domain Users 2
S-1-5-21-1686797113-2710922250-770954689-1108
BY7+Infra 2
S-1-5-21-1686797113-2710922250-770954689-2451
BY7+g-libera acesso Servidores 2
S-1-5-21-1686797113-2710922250-770954689-2175
BY7+Acesso VPN 2
S-1-5-21-1686797113-2710922250-770954689-2408
BY7+g-libera acesso remoto 2
S-1-5-21-1686797113-2710922250-770954689-3175
BY7+gitlab.infra.seg 2
S-1-5-21-1686797113-2710922250-770954689-2178
BY7+Sophos SUM Admins 2
S-1-5-21-1686797113-2710922250-770954689-3170
BY7+g-libera acesso ts 2
S-1-5-21-1686797113-2710922250-770954689-2439
BY7+Sophos SUM Access 2
S-1-5-21-1686797113-2710922250-770954689-512
BY7+Domain Admins 2
S-1-5-21-1686797113-2710922250-770954689-2259
BY7+Wallpaper - Geral 2
S-1-5-21-1686797113-2710922250-770954689-2563
BY7+wiki.infra.seg 2
S-1-5-21-1686797113-2710922250-770954689-2564
BY7+wiki.infra.win 2
S-1-5-21-1686797113-2710922250-770954689-1608
BY7+internet_moderado 2
S-1-5-21-1686797113-2710922250-770954689-2545
BY7+operacao 2
S-1-5-21-1686797113-2710922250-770954689-1219
BY7+SophosAdministrator 4
S-1-5-21-1686797113-2710922250-770954689-572
BY7+Denied RODC Password Replication Group 4
S-1-5-21-1686797113-2710922250-770954689-1115
BY7+Sophos DB Admins 4
S-1-5-21-1686797113-2710922250-770954689-1116
BY7+Sophos Full Administrators 4
S-1-5-21-1686797113-2710922250-770954689-1117
BY7+Sophos Console Administrators 4
S-1-5-21-1686797113-2710922250-770954689-1217

In this case, necessary change objectSID= to ad user sid.

vpn:/root # /usr/sbin/net ads --request-timeout 45 search '(&(objectClass=user)(objectSID=S-1-5-21-1686797113-2710922250-770954689-2487))' 'memberOf' -P -p 3268
Got 1 replies

memberOf: CN=gitlab.infra.seg,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=g-libera acesso ts,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=wiki.infra.win,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=wiki.infra.seg,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=Lista Caiu,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=operacao,CN=Users,DC=by7,DC=corp
memberOf: CN=g-libera acesso Servidores,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=Sophos SUM Access,OU=Sophos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=g-libera acesso remoto,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=[Grupo] - Operação,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=Wallpaper - Geral,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=Infra Seven,OU=Exchange,OU=Aplicacoes,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=Sophos SUM Admins,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=Acesso VPN,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
memberOf: CN=Sophos Full Administrators,CN=Users,DC=by7,DC=corp
memberOf: CN=Infra,CN=Users,DC=by7,DC=corp
memberOf: CN=Account Operators,CN=Builtin,DC=by7,DC=corp
memberOf: CN=Domain Admins,CN=Users,DC=by7,DC=corp

To try fix this problem, we have tried to update to latest version: Firmware version: 9.503-3
Cancel
Vote Up 0 Vote Down

Cancel
0 PeterRist over 8 years ago in reply to Rafael Scoz

Very interesting, we have exactly the same problem with one user on our UTM.
Firmware is version 9.411-3

Cheers Peter
Cancel
Vote Up 0 Vote Down

Cancel