Domain User Names not showing in Group-Mapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Domain User Names not showing in Group-Mapping

Not applicable

This is driving me crazy and looking for some input...

I have the User-ID Agent installed on my single domain controller which is running fine and connected to the PAN on version 5. Using an example below (my domain is different), I've duplicated the Group mapping setting, but expanding the Group Include List, I can see all the groups, just not Domain Users. Any ideas on what I need to change or check?

grp.png

9 REPLIES 9

L4 Transporter

Hi

You didn't mention what version of PAN are you using, but maybe it will be usefull for You

From PAN 5.0.10 fixes log:

57816—Groups were not displayed in the Allow List dropdown selection of an

Authentication Profile. This was due to changes made for an issue addressed in PAN-

OS 5.0.7 (49237). This issue has been fixed so that groups are displayed in the Allow

List dropdown selection of an Authentication Profile for single-vsys devices.

Regards

SLawek

I upgraded my Pa-200 from 5.0.4 to 5.0.10 and have the current version of the user-id running on my DC. The upgrade went fine, rebooted, and still do not see user names populated under 'cn=users' in the 'Group Map Settings' expanding 'Group include list'

Any others ideas?

L4 Transporter

that normal this is group includ list.

you can see here only group not user

if you want to enumerate user you could do that via security rule

regard's

Creating a Security Rule and in Policies\Security under 'user', selecting 'any', 'pre-logon', 'known user', or 'unknown' it populates the same list (ie.. <domain>\<group name>). Manually typing in <domain>\guest it finds it.  Using the same format and putting in the name of a user I created in AD in place of 'guest' it's not being found, basically it's only listing the groups names and not pulling created user names which i can see logged into into my domain controller.

The below command displays the list of groups that the PANFW learns from the AD.

> show user group list

You should see one such group in that list with "cn=user, ...."

To check if the PANFW is learning about users belonging to that group, you can use the below command

>show user group name <group name>

You can also refer to the below document:

https://live.paloaltonetworks.com/docs/DOC-4994

Show user group list works fine, i can see the list of groups, but attempting to query the 'users' group I get the following:

<response status="success"><result>User group '<users>' does not exist or does not have members</result></response>

admin@PA-200> show user group name <guests>

I have following the link provided and everything matches up, anything else you can think of to force a sync or some other configuration item?

Thanks for all the help on this!

Hi Rob,

I am having difficulties following you.

May I know the "group" that you are particularly interested in?

Do you see that "group" under the "show user group list" output?

If so, when you search for users under that group, do you see any users in that group ?

Can you paste the output of the commands that I had requested.

Alternatively, if you type in the below command:

> show user user-IDs match-user <user>

  <value>  Show only the user(s) that match the string

do you see the user belonging to the "group" that you are expecting to see?

You can also verify if its not just a PANFW issue, by installing the softera browser ( or any other LDAP browser )on your PC, and check if you can retrieve the members of that group on your PC

BR,

Karthik

When i build firewall policy rules, say for 'URL Filtering', I should be able to not see all the groups pulled from AD, but also the userid's i want to add to that policy. Only group names are listed and not actual user names: Below is a screen shot of when i expand the 'Group Include List' in Group Mapping, i should be able to see the users I've created in AD under CN=Users ,CN=Domain Users, or whatever group they're a part of

I created a user called 'test' in AD, and issuing the below command, it's not found in any group

admin@PA-200> show user user-IDs match-user <test>

User Name                       Vsys    Groups

------------------------------------------------------------------

Total: 6

Using another AD Browser and searching for the user 'test' it can be found, but it's not listed or shown in the PAN when expanding group-mapping

Coming from BlueCoat and relatively new to PAN, I found out you have to manually type the domain\userid to apply to an individual. This will be my solution for now and just create policies around groups and not individuals which is probably best and more easily managed.

Thank you all for your input and support!

  • 7099 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!