Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 1 subscriber
  • Views 6058 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

astaro 7.500 - Active Directory Prefetch Error

wizardz
hello,

(first post! after all those years! )

anyway, back to the "problem" i am experiencing.


i have my ASG joined to my domain ( windows 2008 R2 x64 using windows 2008 r2 native domain)

i can successfully pass any test that requires a username / password ( i created a specific username for my ASG , usename is astaro-admin)


basically what i want to do is prefetch all my users so that i can create specific access rules based on "user privilege".

when i go to users=>authentication=>advanced

i then select my prefetch server ( ymxdc01.spsm.ca ), then in groups i select my "domain users" group. now onto the "prefetch now" button, everything works fine except that it does not find any users at all!!

2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: ------------------------------------------------------------ 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: Starting synchronization for adirectory 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: ------------------------------------------------------------ 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: ------------------------------------------------------------ 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: Searching for users 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: ------------------------------------------------------------ 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: Connecting to ldap server 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: ldap server: ldap://172.16.10.11:389 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: No group members found for group 'CN=Domain Users,CN=Users,DC=spsm,DC=ca' 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: ------------------------------------------------------------ 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: Performing ldap search: 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: Ldap search returned 0 users 
2009:10:04-11:07:42 ymxgw01 user_prefetch[7237]: Search time: 0m 0s 
2009:10:04-11:07:43 ymxgw01 user_prefetch[7237]: ------------------------------------------------------------ 
2009:10:04-11:07:43 ymxgw01 user_prefetch[7237]: Adding/updating users 
2009:10:04-11:07:43 ymxgw01 user_prefetch[7237]: ------------------------------------------------------------ 
2009:10:04-11:07:43 ymxgw01 user_prefetch[7237]: 0 user objects were found: 
2009:10:04-11:07:43 ymxgw01 user_prefetch[7237]: 0 users were created 
2009:10:04-11:07:43 ymxgw01 user_prefetch[7237]: 0 users were updated 
2009:10:04-11:07:43 ymxgw01 user_prefetch[7237]: 0 users are authenticated locally. 
2009:10:04-11:07:43 ymxgw01 user_prefetch[7237]: Overall time: 0m 1s 


but, if i put a user, the prefetch will complete successfully and will be listed in my users tab.


any help would be greatly appreciated.

wizardz


This thread was automatically locked due to age.
Parents
  • 0
    Yes - wizards is correct. I have never been able to use the default domain user group - just does not work. I ended up creating a new group called Allow Proxy Internet and put the Domain User group in there - that should work just fine for you. Maybe you have done this already....
  • 0 in reply to RockinRay
    Thanks,

    will create a group containing the group "domain users".

    (just migrated from eDir which doesn't allow nested groups so didn't think of this solution [:$])

    Ed
Reply Children
  • 0 in reply to Ed.Kok
    Ohoh, cheered too soon. Doesn't work: 

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]:  using internal configuration from Confd

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: Using contexts from confd object

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: ldap server:

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: server: 192.168.10.1

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: port: 389

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: ssl: 0

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: bind_dn: Administrator

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: update: 0

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: contexts:

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: CN=Astaro Prefetch,OU=Groups,DC=RaetsMarine,DC=local

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: ------------------------------------------------------------

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: Starting synchronization for adirectory

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: ------------------------------------------------------------

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: ------------------------------------------------------------

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: Searching for users

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: ------------------------------------------------------------

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: Connecting to ldap server

    2009:11:02-08:04:26 RM-HQ-AST user_prefetch[16286]: ldap server: ldap://192.168.10.1:389

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: Context 'CN=Astaro Prefetch,OU=Groups,DC=RaetsMarine,DC=local' is a group. Adding group members:

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: CN=Domain Users,CN=Users,DC=RaetsMarine,DC=local

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: ------------------------------------------------------------

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: Performing ldap search:

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: searching 'CN=Domain Users,CN=Users,DC=RaetsMarine,DC=local'

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: Ldap search returned 0 users

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: Search time: 0m 0s

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: ------------------------------------------------------------

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: Adding/updating users

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: ------------------------------------------------------------

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: 0 user objects were found:

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: 0 users were created

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: 0 users were updated

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: 0 users are authenticated locally.

    2009:11:02-08:04:27 RM-HQ-AST user_prefetch[16286]: Overall time: 0m 1s 
  • 0 in reply to Ed.Kok
    Hey All,

    I was playing around and seem to have found the problem... I have no idea about a fix (maybe the gods upstairs will take care of that?) but there is a simple (if tedious) workaround

    The problem seems to be that astaro will not recognize the group membership of a user (and therefore not fetch said user) if that group is indicated as the "Primary Group" in the AD. This is some sort of POSIX legacy thing with Windows that I don't understand and always left alone (my only AD environment is basically for learning/testing so the structure is small and simple, most users are only members of one group). Regardless, the workaround I've applied is to create a dummy group with no security permissions, add all users to that group and set this group as their primary. Astaro then recognizes all the correct group membership and will pull all the right users.
  • 0 in reply to wto605
    that's interesting,

    i haven't got time to test Whity's solution yet..my box died a few weeks ago, and being in the process of building a new house...well..that sums it up.

    i was able to make it work, even without setting the "primary" group, just a group that i wanted users to be prefetched. and then prefetch that specific group.