03-20-2012 03:43 AM
I got two AD Domains.
I did the two ldap and two kerberos configs
In the Authentication Sequence ch-dom ist the first one and the second is stebos. They are both kerberos profiles
Users in ch-dom can authenticate. User in stebos get immediatly a auth failer.
LDAP is working on both AD, I can see users and groups.
In Traffic Monitor I don't see kerberos traffic to the ad server holding stebos. Whats wrong??
Mar 20 11:27:40 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: testvpn
Mar 20 11:27:40 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','auth-sequence','testvpn'>
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2240): auth-sequence is an auth sequence
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #1 kerberos_profile in auth seq
Mar 20 11:27:40 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:40 panauth:user <ch-dom\testvpn,kerberos_profile,vsys1> is not allowed
Mar 20 11:27:40 User 'ch-dom\testvpn' failed authentication. Reason: User is not in allowlist From: 178.83.248.50.
Mar 20 11:27:40 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:40 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:40 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:40 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #2 stebos in auth seq
Mar 20 11:27:40 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:40 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_stebos,username stebos\testvpn
Mar 20 11:27:41 pan_authd_authenticate_service(pan_authd.c:652): authentication failed (6)
Mar 20 11:27:41 authentication failed for user <vsys1,stebos,stebos\testvpn>
Mar 20 11:27:41 User 'stebos\testvpn' failed authentication. Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: testvpn authresult not auth'ed
Mar 20 11:27:41 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: False.
Mar 20 11:27:41 User 'testvpn' failed authentication. Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: testvpn
Mar 20 11:27:41 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','auth-sequence','testvpn'>
Mar 20 11:27:41 pan_authd_handle_nonadmin_auths(pan_authd.c:2240): auth-sequence is an auth sequence
Mar 20 11:27:41 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #1 kerberos_profile in auth seq
Mar 20 11:27:41 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:41 panauth:user <ch-dom\testvpn,kerberos_profile,vsys1> is not allowed
Mar 20 11:27:41 User 'ch-dom\testvpn' failed authentication. Reason: User is not in allowlist From: 178.83.248.50.
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:41 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:41 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_handle_nonadmin_auths(pan_authd.c:2304): Trying auth profile #2 stebos in auth seq
Mar 20 11:27:42 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3409): failed to fetch: NO_MATCHES
Mar 20 11:27:42 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_stebos,username stebos\testvpn
Mar 20 11:27:42 pan_authd_authenticate_service(pan_authd.c:652): authentication failed (6)
Mar 20 11:27:42 authentication failed for user <vsys1,stebos,stebos\testvpn>
Mar 20 11:27:42 User 'stebos\testvpn' failed authentication. Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: testvpn authresult not auth'ed
Mar 20 11:27:42 pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: True.
Mar 20 11:27:42 User 'testvpn' failed authentication. Reason: Invalid username/password From: 178.83.248.50.
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
Mar 20 11:27:42 pan_authd_generate_system_log(pan_authd.c:833): CC Enabled=False
Mar 20 11:27:42 pan_get_system_cmd_output(pan_cfg_utils.c:3043): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
03-21-2012 12:57 AM
I tried doing this with proxy dns, since I have two AD with 2 independent DNS Server...but that dosn't work...how can i configure that?
03-21-2012 01:14 AM
In Device -> Config (or if it is Config -> Device) you have service route configuration where you can select which interface should be used for the DNS queries that the PAN itself will need (among other settings). In the same view (before you click on service route configuration) you can setup which DNS the PAN unit will use for lookups.
03-21-2012 01:29 AM
No, ignore that dns proxy.
DNS proxy is to do stuff when a client sends dns-queries.
"Firewalling dns queries" if you like to call it...
When PAN needs to do queries you go to device tab, choose setup. Then you select "services" - here you type in which NTP and DNS the PAN unit itself will use.
Then you click on service route configuration to instruct the PAN unit which interface it should use to reach NTP, DNS etc for its own use (default is mgmt-interface I think).
03-21-2012 01:52 AM
Well and how shall i setup two kerberos when there are two independent dns sever for each AD?
The only way I see is over DNS Proxy...and why should that not work when i can configure that in setup?
For what else is that DNS Proxy Object when not for excatly this issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!