https://live.paloaltonetworks.com/t5/general-topics/4-1-7-problem-with-domain-users-enumeration-persists/m-p/6783#M4977 <HTML><HEAD></HEAD><BODY><P>Support did resolve the issue.&nbsp; Apparently there are multiple ways to setup the domain, and one way works better than the other.&nbsp; Basically, create only one LDAP mapping per domain, and then import all the groups you desire through the single mapping.&nbsp; Do not create a single mapping per LDAP group.</P></BODY></HTML> Mon, 29 Oct 2012 19:51:45 GMT EdwinD 2012-10-29T19:51:45Z https://live.paloaltonetworks.com/t5/general-topics/4-1-7-problem-with-domain-users-enumeration-persists/m-p/6781#M4975 <HTML><HEAD></HEAD><BODY><P>I am running PanOS 4.1.7 on a pair of HA 2050's which use direct LDAP connectivity to multiple AD servers for group membership.&nbsp;&nbsp; I also have the UaInstall-4.1.5-1.MSI 4.1.5 user to IP agents running on my DCs.&nbsp; I do not have the group membership coming from the user to IP agent running on the servers.&nbsp; I have the 2050's enumerating group membership directly from the AD LDAP servers, using the global connection port 5007 from the Firewall to the AD servers.</P><P></P><P>I upgrade from 4.1.5 to 4.1.7 because I am aware of the known issue in 4.1.5 with "Domain Users" not being properly enumerated.&nbsp;&nbsp; However, this problem just re-occurred in 4.1.7 to some extent. The end result is that 90% of my users no longer had Internet access.</P><P></P><P>When I ran the command</P><P>show user user-IDs | match someuser</P><P>I got no results.&nbsp;&nbsp; This problem lasted for over an hour.&nbsp; I have group membership refresh set to 360 seconds.&nbsp; I had to commit the firewall policy multiple times for the group membership to work enumerate correctly.&nbsp; Other groups were enumerating fine.</P><P></P><P>I would like to suggest that there is still a bug in this code in 4.1.7.&nbsp;&nbsp; For the time being I have created a new active directory group that isn't special like "domain users" is, and I have added all my domain users to it.</P></BODY></HTML> Fri, 17 Aug 2012 00:28:08 GMT https://live.paloaltonetworks.com/t5/general-topics/4-1-7-problem-with-domain-users-enumeration-persists/m-p/6781#M4975 EdwinD 2012-08-17T00:28:08Z https://live.paloaltonetworks.com/t5/general-topics/4-1-7-problem-with-domain-users-enumeration-persists/m-p/6782#M4976 <HTML><HEAD></HEAD><BODY><P>Hi EdwinD,</P><P></P><P>We have been able to successfully pull members of the 'Domain Users' using 4.1.7. Perhaps the issue is unique to your environment.</P><P></P><P>In order to force a full group membership refresh(as opposed to incremental), the following command can be run:</P><P>&gt; debug user-id reset group-mapping all</P><P></P><P>Please open a case with support for further investigation if you haven't already done so.</P><P></P><P>- Stefan</P></BODY></HTML> Sat, 27 Oct 2012 00:36:32 GMT https://live.paloaltonetworks.com/t5/general-topics/4-1-7-problem-with-domain-users-enumeration-persists/m-p/6782#M4976 sspringer 2012-10-27T00:36:32Z https://live.paloaltonetworks.com/t5/general-topics/4-1-7-problem-with-domain-users-enumeration-persists/m-p/6783#M4977 <HTML><HEAD></HEAD><BODY><P>Support did resolve the issue.&nbsp; Apparently there are multiple ways to setup the domain, and one way works better than the other.&nbsp; Basically, create only one LDAP mapping per domain, and then import all the groups you desire through the single mapping.&nbsp; Do not create a single mapping per LDAP group.</P></BODY></HTML> Mon, 29 Oct 2012 19:51:45 GMT https://live.paloaltonetworks.com/t5/general-topics/4-1-7-problem-with-domain-users-enumeration-persists/m-p/6783#M4977 EdwinD 2012-10-29T19:51:45Z