Clientless User-ID problem

Reply
Highlighted
L5 Sessionator

Clientless User-ID problem

Hello.

When debugging clientless User-ID I've noticed a strange entry in useridd.log log file. I'm trying to connect to 2 AD servers.

It says:

2014-04-07 10:44:09.875 +0200 Error:  pan_user_id_win_log_query(pan_user_id_win.c:1319): log query for server1.xyz.aa failed: [lib/socket/interface.c:212:load_in

terfaces()] ERROR: Could not determine network interfaces, you must use a interfaces config line

I can't find any info about this entry. Any ideas what does it mean?

For 2nd server I'm getting more usual error message:

2014-04-07 10:51:54.723 +0200 Error:  pan_user_id_win_log_query(pan_user_id_win.c:1319): log query for server2.xyz.aa failed: [wmi/wmic.c:200:main()] ERROR: Log

in to remote object.

Both are of course listed as 'access denied'. Both servers are reachable and in same network. I'm pretty certain 2nd error means insufficient rights on user credentials. But 1st error looks strange and I can't find any info about it.

Any ideas?

Highlighted
L4 Transporter

Re: Clientless User-ID problem

First question, are You able to ping from CLI to your AD servers? if not - You must configure Device>Setup>Services>Service Route Configuration

Highlighted
L5 Sessionator

Re: Clientless User-ID problem

Yep, i can resolve both names and ping them both. I already checked Service Route Configuration and everything is on default.

Highlighted
L3 Networker

Re: Clientless User-ID problem

As a test use a domain admin account, the first error message speaks of [lib/socket/interface.c:212:load_interfaces()] ERROR ===> To me it looks like its unable to open a socket for connection, restart the useridd agent should take of it since it would teardown and open new sockets.

Please let me know if that helps.

- Deepak

Highlighted
L5 Sessionator

Re: Clientless User-ID problem

Hello.

I deleted the servers, discovered them again, re-entered the credentials and didn't get the same error again. Customer has also been changing rights on user account so I'm not sure what solved the issue. However it would be good to get some explanation about what that error message actually means and how to solve it if it happens again.

Right now I am encountering situation, where PA is able to connect to one of 2 AD servers and is getting 'access denied' for the other. The user has domain admin rights, both servers are in same domain and in the same network. So i can only assume that their AD cluster has some issues. Has anyone encountered similar situation?

Best regards,

Simon

Highlighted
L4 Transporter

Re: Clientless User-ID problem

Hi Simon

Please create dedicated AD user for PAN very carefully according to manual of User-ID, this part is very important, also configuration of domain controllers (rights for this user).

Reagrds

Slawek

Highlighted
L6 Presenter

Re: Clientless User-ID problem

Check this

https://live.paloaltonetworks.com/docs/DOC-5404

I saw a case even domain admin did not work and we created a user with the above rights.And it worked.

This was because some changes has been done on DC(for admin accoıunt) in the past.Maybe it will work for you too.

Highlighted
L5 Sessionator

Re: Clientless User-ID problem

Yep, we started with dedicated user with only required permissions according to PA guide. However customer has 2003 AD and 'event reader' groups is not present there. So instead of going through specific procedure for 2003 AD permissions (also described in one of the PA guides), the customer decided to give domain admin rights to the user.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!