04-07-2014 01:56 AM
Hello.
When debugging clientless User-ID I've noticed a strange entry in useridd.log log file. I'm trying to connect to 2 AD servers.
It says:
2014-04-07 10:44:09.875 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1319): log query for server1.xyz.aa failed: [lib/socket/interface.c:212:load_in
terfaces()] ERROR: Could not determine network interfaces, you must use a interfaces config line
I can't find any info about this entry. Any ideas what does it mean?
For 2nd server I'm getting more usual error message:
2014-04-07 10:51:54.723 +0200 Error: pan_user_id_win_log_query(pan_user_id_win.c:1319): log query for server2.xyz.aa failed: [wmi/wmic.c:200:main()] ERROR: Log
in to remote object.
Both are of course listed as 'access denied'. Both servers are reachable and in same network. I'm pretty certain 2nd error means insufficient rights on user credentials. But 1st error looks strange and I can't find any info about it.
Any ideas?
04-07-2014 04:57 AM
Yep, i can resolve both names and ping them both. I already checked Service Route Configuration and everything is on default.
04-07-2014 06:38 AM
As a test use a domain admin account, the first error message speaks of [lib/socket/interface.c:212:load_interfaces()] ERROR ===> To me it looks like its unable to open a socket for connection, restart the useridd agent should take of it since it would teardown and open new sockets.
Please let me know if that helps.
- Deepak
04-10-2014 06:57 AM
Hello.
I deleted the servers, discovered them again, re-entered the credentials and didn't get the same error again. Customer has also been changing rights on user account so I'm not sure what solved the issue. However it would be good to get some explanation about what that error message actually means and how to solve it if it happens again.
Right now I am encountering situation, where PA is able to connect to one of 2 AD servers and is getting 'access denied' for the other. The user has domain admin rights, both servers are in same domain and in the same network. So i can only assume that their AD cluster has some issues. Has anyone encountered similar situation?
Best regards,
Simon
04-10-2014 09:55 AM
Hi Simon
Please create dedicated AD user for PAN very carefully according to manual of User-ID, this part is very important, also configuration of domain controllers (rights for this user).
Reagrds
Slawek
04-10-2014 01:12 PM
Check this
https://live.paloaltonetworks.com/docs/DOC-5404
I saw a case even domain admin did not work and we created a user with the above rights.And it worked.
This was because some changes has been done on DC(for admin accoıunt) in the past.Maybe it will work for you too.
04-14-2014 01:03 AM
Yep, we started with dedicated user with only required permissions according to PA guide. However customer has 2003 AD and 'event reader' groups is not present there. So instead of going through specific procedure for 2003 AD permissions (also described in one of the PA guides), the customer decided to give domain admin rights to the user.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
