today i have an issue with ONE user who can successfully log in (I use Active Directory Auth. and Autorization via winbind / kerberos) but the Rolemapping does not work. The user is member of a AD-Group, but IVE wont map that user (and ONLY that user) to the proper role.
Policy trace shows me:
GetUserGroups: Finding user sid of user failed. user 'smith' does not exist
But - when user does not exist, why he can log in successfully to IVE?
The user account exists in Active Directory, and the user IS in the proper AD-Group.
Hm? Does anyone have any idea what is wrong with THIS user, while dozend of other users can be autorized without any issue?
New information - its not only one user, its all users from one special trusted domain from our big domain forest.
But with all other trusted domains it works great. So it has something with this one trusted domain - i created a workaround with rolemapping rule based on "Username", when i find out what is causing the issue, i will post here.
These users are all able to authenticate - the problem is only AUTORIZATION based on winbind / kerberos, but only problem occurs with users from ONE of these trusted domains. For any reason ive can not find the groupmembership of users from this domain, but it CAN authenticate the users domainusername / domainpassword.
I use a special service account in AD which has the proper rights to create objects and do the queries in AD.
But thats not an adminaccount in that trusted domain. Trusted domains are managed by other admins.
It works with all other trusted domains till now - the problem only occures with users from this one trusted domain.
By the way - the Lithium format of this forum sucks little bit. Why juniper does not use a "normal,well known" forum format like they use it on www.juniperforum.com? Its would be easier to handle for the users who want to participiate on this forum.
On this lithium-forum, pages take some seconds to open, and each time i want to post something, i have to login, and then i am not on that threat-side where i want to post, but i have to click several clicks and wait some seconds to type my answer.