topic Re: Clientless User-ID problem in General Topics

Clientless User-ID problem

santonic — Mon, 07 Apr 2014 08:56:58 GMT

Hello.

When debugging clientless User-ID I've noticed a strange entry in useridd.log log file. I'm trying to connect to 2 AD servers.

It says:

2014-04-07 10:44:09.875 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1319): log query for server1.xyz.aa failed: [lib/socket/interface.c:212:load_in

terfaces()] ERROR: Could not determine network interfaces, you must use a interfaces config line

I can't find any info about this entry. Any ideas what does it mean?

For 2nd server I'm getting more usual error message:

2014-04-07 10:51:54.723 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1319): log query for server2.xyz.aa failed: [wmi/wmic.c:200:main()] ERROR: Log

in to remote object.

Both are of course listed as 'access denied'. Both servers are reachable and in same network. I'm pretty certain 2nd error means insufficient rights on user credentials. But 1st error looks strange and I can't find any info about it.

Any ideas?

Re: Clientless User-ID problem

_slv_ — Mon, 07 Apr 2014 10:21:39 GMT

First question, are You able to ping from CLI to your AD servers? if not - You must configure Device>Setup>Services>Service Route Configuration

Re: Clientless User-ID problem

santonic — Mon, 07 Apr 2014 11:57:54 GMT

Yep, i can resolve both names and ping them both. I already checked Service Route Configuration and everything is on default.

Re: Clientless User-ID problem

dpalani — Mon, 07 Apr 2014 13:38:08 GMT

As a test use a domain admin account, the first error message speaks of [lib/socket/interface.c:212:load_interfaces()] ERROR ===> To me it looks like its unable to open a socket for connection, restart the useridd agent should take of it since it would teardown and open new sockets.

Please let me know if that helps.

- Deepak

Re: Clientless User-ID problem

santonic — Thu, 10 Apr 2014 13:57:16 GMT

Hello.

I deleted the servers, discovered them again, re-entered the credentials and didn't get the same error again. Customer has also been changing rights on user account so I'm not sure what solved the issue. However it would be good to get some explanation about what that error message actually means and how to solve it if it happens again.

Right now I am encountering situation, where PA is able to connect to one of 2 AD servers and is getting 'access denied' for the other. The user has domain admin rights, both servers are in same domain and in the same network. So i can only assume that their AD cluster has some issues. Has anyone encountered similar situation?

Best regards,

Simon

Re: Clientless User-ID problem

_slv_ — Thu, 10 Apr 2014 16:55:08 GMT

Hi Simon

Please create dedicated AD user for PAN very carefully according to manual of User-ID, this part is very important, also configuration of domain controllers (rights for this user).

Reagrds

Slawek

Re: Clientless User-ID problem

Retired Member — Thu, 10 Apr 2014 20:12:18 GMT

Check this

https://live.paloaltonetworks.com/docs/DOC-5404

I saw a case even domain admin did not work and we created a user with the above rights.And it worked.

This was because some changes has been done on DC(for admin accoıunt) in the past.Maybe it will work for you too.

Re: Clientless User-ID problem

santonic — Mon, 14 Apr 2014 08:03:01 GMT

Yep, we started with dedicated user with only required permissions according to PA guide. However customer has 2003 AD and 'event reader' groups is not present there. So instead of going through specific procedure for 2003 AD permissions (also described in one of the PA guides), the customer decided to give domain admin rights to the user.