cancel
Showing results for 
Search instead for 
Did you mean: 

Winbind Autorization - strange issue with ONE user from Active Directory

Contributor

Winbind Autorization - strange issue with ONE user from Active Directory

Hi

today i have an issue with ONE user who can successfully log in (I use Active Directory Auth. and Autorization via winbind / kerberos) but the Rolemapping does not work. The user is member of a AD-Group, but IVE wont map that user (and ONLY that user) to the proper role.

Policy trace shows me:

GetUserGroups: Finding user sid of user failed. user 'smith' does not exist

But - when user does not exist, why he can log in successfully to IVE?

The user account exists in Active Directory, and the user IS in the proper AD-Group.

Hm? Does anyone have any idea what is wrong with THIS user, while dozend of other users can be autorized without any issue?

4 REPLIES 4
Respected Contributor

Re: Winbind Autorization - strange issue with ONE user from Active Directory

Was this user migrated from another domain? Has this user ever been able to successfully authenticate? Is the user account a member of many more groups than other users? If you create a duplicate of the user, is the duplicate account able to login successfully? If you delete the user account from the IVE, is the user then able to successfully login? (Please note that if you delete the user, any customizations will be lost.)
Contributor

Re: Winbind Autorization - strange issue with ONE user from Active Directory

New information - its not only one user, its all users from one special trusted domain from our big domain forest.

But with all other trusted domains it works great. So it has something with this one trusted domain - i created a workaround with rolemapping rule based on "Username", when i find out what is causing the issue, i will post here.

These users are all able to authenticate - the problem is only AUTORIZATION based on winbind / kerberos, but only problem occurs with users from ONE of these trusted domains. For any reason ive can not find the groupmembership of users from this domain, but it CAN authenticate the users domainusername / domainpassword.

Message Edited by dusannovakovic on 02-28-2008 09:11 PM
Respected Contributor

Re: Winbind Autorization - strange issue with ONE user from Active Directory

Is the admin username on the AD/NT server configuration page an admin on this specific domain as well?
Does the failure happen on all groups from the domain, as it sounds?
Users are logging in as domain\username?
Contributor

Re: Winbind Autorization - strange issue with ONE user from Active Directory

I use a special service account in AD which has the proper rights to create objects and do the queries in AD.

But thats not an adminaccount in that trusted domain. Trusted domains are managed by other admins.

It works with all other trusted domains till now - the problem only occures with users from this one trusted domain.

By the way - the Lithium format of this forum sucks little bit. Why juniper does not use a "normal,well known" forum format like they use it on www.juniperforum.com? Its would be easier to handle for the users who want to participiate on this forum.

On this lithium-forum, pages take some seconds to open, and each time i want to post something, i have to login, and then i am not on that threat-side where i want to post, but i have to click several clicks and wait some seconds to type my answer.

Message Edited by dusannovakovic on 02-28-2008 10:07 PM