Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 14526 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

wbinfo doesn't shows member users of a group any more

Rafael Scoz

Hello, we are facing a really weird problem.

 

Sophos dont display group from a user in http.log

2017:08:22-09:31:30 vpn httpproxy[25653]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.16.28.25" dstip="216.58.202.194" user="fabio.lima" group="" ad_domain="BY7" statuscode="204" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" 

 

We already do alot of things, like, re-join domain, exclude user, re-join with another user, update sophos to latest version(9.503-3), but nothing work.

We also have an ticket with Sophos support, open for like 4 weaks, and it be escalonate now for GES team.

 

We got debug this, its seens to be a problem with winbind.

 

In user prefetch, sophos find the user, but dont put they on winbind.

 

2017:08:28-00:00:02 vpn user_prefetch[2124]: <=========================================================================
2017:08:28-00:00:02 vpn user_prefetch[2124]: Retrieving server configuration
2017:08:28-00:00:02 vpn user_prefetch[2124]: -> using internal configuration from Confd
2017:08:28-00:00:03 vpn user_prefetch[2124]: Using contexts from confd object
2017:08:28-00:00:03 vpn user_prefetch[2124]: ldap server:
2017:08:28-00:00:03 vpn user_prefetch[2124]: server: 192.168.25.225
2017:08:28-00:00:03 vpn user_prefetch[2124]: port: 389
2017:08:28-00:00:03 vpn user_prefetch[2124]: ssl: 0
2017:08:28-00:00:03 vpn user_prefetch[2124]: bind_dn: CN=sophos.ad,CN=Users,DC=by7,DC=corp
2017:08:28-00:00:03 vpn user_prefetch[2124]: update: 1
2017:08:28-00:00:03 vpn user_prefetch[2124]: contexts:
2017:08:28-00:00:03 vpn user_prefetch[2124]: CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp

2017:08:28-11:56:28 vpn user_prefetch[26198]: Context 'CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp' is a group. Adding group members:

2017:08:28-11:56:28 vpn user_prefetch[26198]: searching 'CN=Fabio de Lima,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp'

 

And as we can see below, this command dont show users.

 

wbinfo --group-info="internet_moderado"

internet_moderado:x:15000:

Expected:

wbinfo --group-info="internet_moderado"

internet_moderado:x:15000:user1,user2,user3,user4



This thread was automatically locked due to age.
Parents
  • 0

    Hi

    Within AD Users and Computers, does the Authenticated Users group have Read rights on your user objects?

    By default this will be inherited, due to Authenticated Users being a member of Pre-Windows 2000 Compatible Access group (within the Built-In OU)

    Greg

  • 0 in reply to GregH

    Hello Greg, thanks for your answer.

     

    We currently using windows server 2012R2

     

    the user who joins the domain  in UTM, is domain admin.

     

    I thinks this privileges is right

  • 0 in reply to Rafael Scoz

    Do the grouo memberships display when you test a username and password on the Authentication Server object?

    I note that in my web log, I have never seen group data.

    Are you doing active directory membership synchronization, or just doing loojups as needed?  What firmware version?  I don't know how that information will matter, but others might.

  • 0 in reply to DouglasFoster

    Yes...

    Look:

     

    I think the problem is clearly winbind group.

    ldap search is ok, when we do a prefetch, its all fine.

    2017:08:30-00:00:04 vpn user_prefetch[21279]: CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    2017:08:30-00:00:05 vpn user_prefetch[21279]: Context 'CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp' is a group. Adding group members:
    2017:08:30-00:00:05 vpn user_prefetch[21279]: CN=Rafael Scoz,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp
    2017:08:30-00:00:07 vpn user_prefetch[21279]: searching 'CN=Rafael Scoz,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp'

     

    Performing the search, its also ok.

    vpn:/root # wbinfo --user-domgroups=$(wbinfo --name-to-sid=by7+rafael.scoz)| while read i; do echo $i;wbinfo --sid-to-name $i;done
    S-1-5-21-1686797113-2710922250-770954689-2487
    BY7+rafael.scoz 1
    S-1-5-21-1686797113-2710922250-770954689-513
    BY7+Domain Users 2
    S-1-5-21-1686797113-2710922250-770954689-1108
    BY7+Infra 2
    S-1-5-21-1686797113-2710922250-770954689-2451
    BY7+g-libera acesso Servidores 2
    S-1-5-21-1686797113-2710922250-770954689-2175
    BY7+Acesso VPN 2
    S-1-5-21-1686797113-2710922250-770954689-2408
    BY7+g-libera acesso remoto 2
    S-1-5-21-1686797113-2710922250-770954689-3175
    BY7+gitlab.infra.seg 2
    S-1-5-21-1686797113-2710922250-770954689-2178
    BY7+Sophos SUM Admins 2
    S-1-5-21-1686797113-2710922250-770954689-3170
    BY7+g-libera acesso ts 2
    S-1-5-21-1686797113-2710922250-770954689-2439
    BY7+Sophos SUM Access 2
    S-1-5-21-1686797113-2710922250-770954689-512
    BY7+Domain Admins 2
    S-1-5-21-1686797113-2710922250-770954689-2259
    BY7+Wallpaper - Geral 2
    S-1-5-21-1686797113-2710922250-770954689-2563
    BY7+wiki.infra.seg 2
    S-1-5-21-1686797113-2710922250-770954689-2564
    BY7+wiki.infra.win 2
    S-1-5-21-1686797113-2710922250-770954689-1608
    BY7+internet_moderado 2
    S-1-5-21-1686797113-2710922250-770954689-2545
    BY7+operacao 2
    S-1-5-21-1686797113-2710922250-770954689-1219
    BY7+SophosAdministrator 4
    S-1-5-21-1686797113-2710922250-770954689-572
    BY7+Denied RODC Password Replication Group 4
    S-1-5-21-1686797113-2710922250-770954689-1115
    BY7+Sophos DB Admins 4
    S-1-5-21-1686797113-2710922250-770954689-1116
    BY7+Sophos Full Administrators 4
    S-1-5-21-1686797113-2710922250-770954689-1117
    BY7+Sophos Console Administrators 4
    S-1-5-21-1686797113-2710922250-770954689-1217

     

    In this case, necessary change objectSID= to ad user sid.

    vpn:/root # /usr/sbin/net ads --request-timeout 45 search '(&(objectClass=user)(objectSID=S-1-5-21-1686797113-2710922250-770954689-2487))' 'memberOf' -P -p 3268
    Got 1 replies

    memberOf: CN=gitlab.infra.seg,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=g-libera acesso ts,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=wiki.infra.win,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=wiki.infra.seg,OU=Infraestrutura,OU=Usuarios,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=Lista Caiu,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=operacao,CN=Users,DC=by7,DC=corp
    memberOf: CN=g-libera acesso Servidores,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=Sophos SUM Access,OU=Sophos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=g-libera acesso remoto,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=[Grupo] - Operação,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=Wallpaper - Geral,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=Infra Seven,OU=Exchange,OU=Aplicacoes,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=Sophos SUM Admins,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=Acesso VPN,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=internet_moderado,OU=Grupos,OU=Seven IT,DC=by7,DC=corp
    memberOf: CN=Sophos Full Administrators,CN=Users,DC=by7,DC=corp
    memberOf: CN=Infra,CN=Users,DC=by7,DC=corp
    memberOf: CN=Account Operators,CN=Builtin,DC=by7,DC=corp
    memberOf: CN=Domain Admins,CN=Users,DC=by7,DC=corp

     

    To try fix this problem, we have tried to update to latest version: Firmware version: 9.503-3

  • 0 in reply to Rafael Scoz

    Very interesting, we have exactly the same problem with one user on our UTM.
    Firmware is version 9.411-3

    Cheers Peter

Reply Children
No Data