4.1.7 Problem with Domain Users enumeration persists.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

4.1.7 Problem with Domain Users enumeration persists.

L3 Networker

I am running PanOS 4.1.7 on a pair of HA 2050's which use direct LDAP connectivity to multiple AD servers for group membership.   I also have the UaInstall-4.1.5-1.MSI 4.1.5 user to IP agents running on my DCs.  I do not have the group membership coming from the user to IP agent running on the servers.  I have the 2050's enumerating group membership directly from the AD LDAP servers, using the global connection port 5007 from the Firewall to the AD servers.

I upgrade from 4.1.5 to 4.1.7 because I am aware of the known issue in 4.1.5 with "Domain Users" not being properly enumerated.   However, this problem just re-occurred in 4.1.7 to some extent. The end result is that 90% of my users no longer had Internet access.

When I ran the command

show user user-IDs | match someuser

I got no results.   This problem lasted for over an hour.  I have group membership refresh set to 360 seconds.  I had to commit the firewall policy multiple times for the group membership to work enumerate correctly.  Other groups were enumerating fine.

I would like to suggest that there is still a bug in this code in 4.1.7.   For the time being I have created a new active directory group that isn't special like "domain users" is, and I have added all my domain users to it.

1 accepted solution

Accepted Solutions

Support did resolve the issue.  Apparently there are multiple ways to setup the domain, and one way works better than the other.  Basically, create only one LDAP mapping per domain, and then import all the groups you desire through the single mapping.  Do not create a single mapping per LDAP group.

View solution in original post

2 REPLIES 2

L4 Transporter

Hi EdwinD,

We have been able to successfully pull members of the 'Domain Users' using 4.1.7. Perhaps the issue is unique to your environment.

In order to force a full group membership refresh(as opposed to incremental), the following command can be run:

> debug user-id reset group-mapping all

Please open a case with support for further investigation if you haven't already done so.

- Stefan

Support did resolve the issue.  Apparently there are multiple ways to setup the domain, and one way works better than the other.  Basically, create only one LDAP mapping per domain, and then import all the groups you desire through the single mapping.  Do not create a single mapping per LDAP group.

  • 1 accepted solution
  • 2550 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!