11-06-2013 10:57 PM
I use the command :"show user group name domain \domain users" , the response from the firewall is :"User group 'domain\domain users' does not exist or does not have members" .
The domain users is the default group for the new user, I think maybe some error for the group membership display in the PA firewall. The PAOS version I used is the 5.0.8
11-06-2013 11:55 PM
I also try to use "show user group name "cn=domain users,cn=users,dc=xxx,dc=local", The same error prompt :User group 'cn=domain users,cn=users,dc=xxx,dc=local' does not exist or does not have members. I am sure some users are included in this group.
11-07-2013 08:05 AM
Hello ZongguoWei,
If you don't have many user-groups, could you please provide me the output for
> show user group list
> show user group-mapping state all
Thanks and regards,
Kunal Adak
11-07-2013 06:03 PM
Hello,
Please follow this document and ensure the device is correctly configured to pull groups from the Ldap server.
How to Configure Group Mapping settings?
CLI commands to check the groups retrieved and connection to the LDAP server:
> show user group-mapping state all //shows the connection to ldap server and must show the 'domain users' group retrieved.
Thanks,
Aditi
11-07-2013 11:03 PM
Hi, The follow message:
show user group list
cn=administrators,cn=builtin,dc=xxx,dc=local
cn=domain admins,cn=users,dc=xxx,dc=local
cn=users,cn=builtin,dc=xxx,dc=local
cn=webaccess,ou=slls- user groups,dc=xxx,dc=local
cn=fullinternetaccess,ou=xxx- user groups,dc=xxx,dc=local
cn=domain users,cn=users,dc=xxx,dc=local
cn=guests,cn=builtin,dc=xxx,dc=local
cn=domain guests,cn=users,dc=xxx,dc=local
cn=dnsadmins,cn=users,dc=xxx,dc=local
I have marked the real domail information and replaced with xxx.
Also:
show user group-mapping state all
Group Mapping(vsys1, type: active-directory): xxx
Bind DN : xxx@xxx.LOCAL
Base : DC=xxx,DC=LOCAL
Group Filter: (None)
User Filter: (None)
Servers : configured 2 servers
10.227.1.1(389)
Last Action Time: 29 secs ago(took 0 secs)
Next Action Time: In 31 secs
10.227.1.2(389)
Number of Groups: 7
cn=users,cn=builtin,dc=xxx,dc=local
cn=guests,cn=builtin,dc=xxx,dc=local
cn=domain users,cn=users,dc=xxx,dc=local
cn=domain admins,cn=users,dc=xxx,dc=local
cn=domain guests,cn=users,dc=xxx,dc=local
cn=dnsadmins,cn=users,dc=xxx,dc=local
cn=administrators,cn=builtin,dc=xxx,dc=local
I want to know what's the action when I use the command :"debug user-id refresh/reset group-mapping all " ?
11-08-2013 08:31 AM
Hello ZongguoWei,
>debug user-id refresh group-mapping all (non-intrusive command)
This command will only fetch the delta/ difference value from the active directory
> debug user-id reset group-mapping all (intrusive command)
This command will query the active directory server to re-build the user-group mappings from scratch.
How the does the reverse lookup work ? I mean do the groups show up when do a lookup for a username?
The command you would use to do that would be:
> show user user-IDs match-user jdoe
Thanks and regards,
Kunal Adak
11-10-2013 09:36 AM
Hello,
Issue below command
>show user group name ?
It will show list of group names.
Issue above command again replacing ? with the group name as it displays.
Regards,
Hari Yadavalli
11-11-2013 12:30 AM
Yes, I have tried this command, It display as below:
show user group name ?
<value> Show group's members
If I type a group name as:xxx\xxx or "cn=xxx, cn=xxx,dc=xxx,dc=xxx". It will display:"User group 'xxx\xxx' does not exist or does not have members"
I have done some other test. I unchecked the "enable" option in the group mapping list and commit the configuration, then selected the option and click the "commit" link. At this time, I use the command "show user group name ?", many user group name will display.
If I use the command "debug user-id refresh/reset group-mapping all", the "?" will not display any group name.
I don't know how to it works ?
01-02-2014 12:12 AM
From PAN 5.0.10 fixes log:
57816—Groups were not displayed in the Allow List dropdown selection of an
Authentication Profile. This was due to changes made for an issue addressed in PAN-
OS 5.0.7 (49237). This issue has been fixed so that groups are displayed in the Allow
List dropdown selection of an Authentication Profile for single-vsys devices.
Maybe it will be usefull for You
Regards
SLawek
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
