Global Protect password expire

cancel
Showing results for 
Search instead for 
Did you mean: 

Global Protect password expire

L6 Presenter

Hi,

When clients connect to Global Protect they got a warning password will expire and it says 1 day.

I looked to LDAP profile it is as default 7

What could this warning be ? How can we disable this ?

We also checked Active Directory for password expire but it is not 1 day.

1 ACCEPTED SOLUTION

Accepted Solutions

Based on the logs provided by you.

It does seem like this is a definite Bug that you are hitting.

I have confirmed that the fix was incorporated in 5.0.3 and this will also be available in any version above 5.0.3

Regards.

View solution in original post

11 REPLIES 11

L5 Sessionator

Got same problem last week, but not on all PC.

Solved with the last 1.2.3 GP agent version

we still have same issue.Any idea ?

While you have the Global Protect user logging in you could try and see if the Palo Alto is pulling the correct expiry for password from the AD.

Th PAN is pulling any cached expiry dates then that could cause this issue.

We can check this by :

> tail follow yes mp-log authd.log

Jun 26 15:41:14 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=<>,DC=<>,DC=<>,DC=com' for (sAMAccountName=u033770) (userAccountControl)

Jun 26 15:41:14 Error: pan_authd_ldap_search_result(pan_authd_passwd.c:419): search failed 1 (Operations error) (000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bin

d must be completed on the connection., data 0, v1db1)

Jun 26 15:41:14 pan_get_ad_passwd_expiry(pan_authd_passwd.c:679): failed to search userAccountControl

Jun 26 15:41:14 Error: pan_get_passwd_expiry(pan_authd_passwd.c:810): Failed to get expiry info for u033770...............................((((If you see this message, that would mean that the PAN is unable to retrieve Password expiry info)))))).


Then that would explain why the agent prompts about password expiry because the firewall has not fetched that info.

I will try that.

if we get "failed toget expiry info" error what can we do ?

every user get same 1 day expire message

If you get the 'failed to get password expiry' it could either mean that the LDAP bind DN user does not have enough privileges to fetch that info and if the Bind DN has enough privileges but still not able to fetch that info, then I think that TAC should have look at it.

There have been known issues in the past with respect to the password expiry prompts.

You can have the TAC team check it out to determine if you are hitting any bugs

Regards

L1 Bithead

I'm also experiencing the same issue. All users get a 1 day expire message

here is whats in the log,

Jul 23 11:13:22 authd_sysd_localprofile_callback(pan_authd.c:4340): localprofile sync triggered via sysd

Jul 23 11:13:22 authd_sysd_localprofile_callback(pan_authd.c:4360): get local info for vsys1/COP_LDAP

Jul 23 11:33:42 pan_authd_service_req(pan_authd.c:3310): Authd:Trying to remote authenticate user: <username>

Jul 23 11:33:42 pan_authd_service_auth_req(pan_authd.c:1186): AUTH Request <'vsys1','COP_LDAP','<username>'>

Jul 23 11:33:42 pan_authd_common_authenticate(pan_authd.c:1646): Authenticating user using service /etc/pam.d/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0,username <username>

Jul 23 11:33:43 pan_authd_authenticate_service(pan_authd.c:665): authentication succeeded (0)

Jul 23 11:33:43 pan_authd_authenticate_service(pan_authd.c:671): account is valid

Jul 23 11:33:43 pan_get_passwd_expiry(pan_authd_passwd.c:795): Using /etc/openldap/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0 to get password info

Jul 23 11:33:43 pan_get_ldap_ip(pan_authd_passwd.c:120): Reading file /etc/openldap/pan_ldap_vsys1_:c:o:p_:l:d:a:p_0

Jul 23 11:33:43 pan_authd_bind(pan_authd_passwd.c:244): binding with binddn <username>@cop.int

Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for (sAMAccountName=<username>) (userAccountControl)

Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=<username>,OU=Staff Depot,OU=staff Users,DC=cop,DC=int

Jul 23 11:33:43 process_ad_usracct(pan_authd_passwd.c:496): AD :Got value userAccountControl : 512

Jul 23 11:33:43 pan_get_ad_passwd_expiry(pan_authd_passwd.c:687): userAccountControl = 512

Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for  (maxPwdAge)

Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry DC=cop,DC=int

Jul 23 11:33:43 process_ad_pwdattr(pan_authd_passwd.c:470): AD :Got value maxPwdAge : -77760000000000

Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:357): searching base 'DC=cop,DC=int' for (sAMAccountName=<username>) (pwdLastSet)

Jul 23 11:33:43 pan_authd_ldap_search_result(pan_authd_passwd.c:380): DN in entry CN=<username>,OU=Staff Depot,OU=staff Users,DC=cop,DC=int

Jul 23 11:33:43 process_ad_pwdattr(pan_authd_passwd.c:470): AD :Got value pwdLastSet : 130189625099463765

Jul 23 11:33:43 pan_get_ad_passwd_expiry(pan_authd_passwd.c:760): AD pwd expires in days 1

Jul 23 11:33:43 authentication succeeded for user <vsys1,COP_LDAP,<username>>

Jul 23 11:33:43 pan_authd_process_authresult(pan_authd.c:1366): pan_authd_process_authresult: <username> authresult auth'ed

Jul 23 11:33:43 Request received to unlock vsys1/COP_LDAP/<username>

Jul 23 11:33:43 User '<username>' authenticated.   From: 27.96.214.249.

Jul 23 11:33:43 pan_get_system_cmd_output(pan_cfg_utils.c:4275): executing: /usr/local/bin/sdb -n -r cfg.operational-mode

I have replaced theactual user name with <username>

our issue is resolved after upgrading panos version

Ours is 5.0.2 to which version should I upgrade?

5.0.5 we made and it is fixed.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!