- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-06-2013 09:53 AM
Hi,
When clients connect to Global Protect they got a warning password will expire and it says 1 day.
I looked to LDAP profile it is as default 7
What could this warning be ? How can we disable this ?
We also checked Active Directory for password expire but it is not 1 day.
07-25-2013 02:49 AM
Based on the logs provided by you.
It does seem like this is a definite Bug that you are hitting.
I have confirmed that the fix was incorporated in 5.0.3 and this will also be available in any version above 5.0.3
Regards.
06-06-2013 12:11 PM
Got same problem last week, but not on all PC.
Solved with the last 1.2.3 GP agent version
06-26-2013 06:20 AM
we still have same issue.Any idea ?
06-26-2013 11:55 AM
While you have the Global Protect user logging in you could try and see if the Palo Alto is pulling the correct expiry for password from the AD.
Th PAN is pulling any cached expiry dates then that could cause this issue.
We can check this by :
> tail follow yes mp-log authd.log
Jun 26 15:41:14 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=<>,DC=<>,DC=<>,DC=com' for (sAMAccountName=u033770) (userAccountControl)
Jun 26 15:41:14 Error: pan_authd_ldap_search_result(pan_authd_passwd.c:419): search failed 1 (Operations error) (000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bin
d must be completed on the connection., data 0, v1db1)
Jun 26 15:41:14 pan_get_ad_passwd_expiry(pan_authd_passwd.c:679): failed to search userAccountControl
Jun 26 15:41:14 Error: pan_get_passwd_expiry(pan_authd_passwd.c:810): Failed to get expiry info for u033770...............................((((If you see this message, that would mean that the PAN is unable to retrieve Password expiry info)))))).
Then that would explain why the agent prompts about password expiry because the firewall has not fetched that info.
06-26-2013 01:45 PM
I will try that.
if we get "failed toget expiry info" error what can we do ?
every user get same 1 day expire message
06-26-2013 02:00 PM
If you get the 'failed to get password expiry' it could either mean that the LDAP bind DN user does not have enough privileges to fetch that info and if the Bind DN has enough privileges but still not able to fetch that info, then I think that TAC should have look at it.
There have been known issues in the past with respect to the password expiry prompts.
You can have the TAC team check it out to determine if you are hitting any bugs
Regards
07-25-2013 02:36 AM
I'm also experiencing the same issue. All users get a 1 day expire message
here is whats in the log,
Jul 23 11:13:22 authd_sysd_localprofile_callback(pan_authd.c:4340): localprofile sync triggered via sysd
Jul 23 11:13:22 authd_sysd_localprofile_callback(pan_authd.c:4360): get local info for vsys1/COP_LDAP
Jul 23 11:33:42 pan_authd_service_req(pan_authd.c:3310): Authd:Trying to remote authenticate user: <username>
Jul 23 11:33:42 pan_authd_service_auth_req(pan_authd.c:1186): AUTH Request <'vsys1','COP_LDAP','<username>'>
Jul 23 11:33:42 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0,username <username>
Jul 23 11:33:43 pan_authd_authenticate_service(pan_authd.c:665): authentication succeeded (0)
Jul 23 11:33:43 pan_authd_authenticate_service(pan_authd.c:671): account is valid
Jul 23 11:33:43 pan_get_passwd_expiry(pan_authd_passwd.c:795): Using /etc/openldap/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0 to get password info
Jul 23 11:33:43 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0
Jul 23 11:33:43 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn <username>@cop.int
Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for (sAMAccountName=<username>) (userAccountControl)
Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=<username>,OU=Staff Depot,OU=staff Users,DC=cop,DC=int
Jul 23 11:33:43 process_ad_usracct(pan_authd_passwd.c:496): AD :Got value userAccountControl : 512
Jul 23 11:33:43 pan_get_ad_passwd_expiry(pan_authd_passwd.c:687): userAccountControl = 512
Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for (maxPwdAge)
Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry DC=cop,DC=int
Jul 23 11:33:43 process_ad_pwdattr(pan_authd_passwd.c:470): AD :Got value maxPwdAge : -77760000000000
Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for (sAMAccountName=<username>) (pwdLastSet)
Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=<username>,OU=Staff Depot,OU=staff Users,DC=cop,DC=int
Jul 23 11:33:43 process_ad_pwdattr(pan_authd_passwd.c:470): AD :Got value pwdLastSet : 130189625099463765
Jul 23 11:33:43 pan_get_ad_passwd_expiry(pan_authd_passwd.c:760): AD pwd expires in days 1
Jul 23 11:33:43 authentication succeeded for user <vsys1,COP_LDAP,<username>>
Jul 23 11:33:43 pan_authd_process_authresult(pan_authd.c:1366): pan_authd_process_authresult: <username> authresult auth'ed
Jul 23 11:33:43 Request received to unlock vsys1/COP_LDAP/<username>
Jul 23 11:33:43 User '<username>' authenticated. From: 27.96.214.249.
Jul 23 11:33:43 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
I have replaced theactual user name with <username>
07-25-2013 02:40 AM
our issue is resolved after upgrading panos version
07-25-2013 02:41 AM
Ours is 5.0.2 to which version should I upgrade?
07-25-2013 02:47 AM
5.0.5 we made and it is fixed.
07-25-2013 02:49 AM
Based on the logs provided by you.
It does seem like this is a definite Bug that you are hitting.
I have confirmed that the fix was incorporated in 5.0.3 and this will also be available in any version above 5.0.3
Regards.
07-25-2013 02:51 AM
Thank you for the response. Realy appreciate it. I will update the version and let you know.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!