problem with group membership display in PAOS 5.0

Hello ZongguoWei,

If you don't have many user-groups, could you please provide me the output for

> show user group list

> show user group-mapping state all

Thanks and regards,
Kunal Adak

Hi, The follow message:

show user group list

cn=administrators,cn=builtin,dc=xxx,dc=local

cn=domain admins,cn=users,dc=xxx,dc=local

cn=users,cn=builtin,dc=xxx,dc=local

cn=webaccess,ou=slls- user groups,dc=xxx,dc=local

cn=fullinternetaccess,ou=xxx- user groups,dc=xxx,dc=local

cn=domain users,cn=users,dc=xxx,dc=local

cn=guests,cn=builtin,dc=xxx,dc=local

cn=domain guests,cn=users,dc=xxx,dc=local

cn=dnsadmins,cn=users,dc=xxx,dc=local

I have marked the real domail information and replaced with xxx.

Also：

show user group-mapping state all

Group Mapping(vsys1, type: active-directory): xxx

        Bind DN    : xxx@xxx.LOCAL

        Base       : DC=xxx,DC=LOCAL

        Group Filter: (None)

        User Filter: (None)

        Servers    : configured 2 servers

                10.227.1.1(389)

                        Last Action Time: 29 secs ago(took 0 secs)

                        Next Action Time: In 31 secs

                10.227.1.2(389)

        Number of Groups: 7

        cn=users,cn=builtin,dc=xxx,dc=local

        cn=guests,cn=builtin,dc=xxx,dc=local

        cn=domain users,cn=users,dc=xxx,dc=local

        cn=domain admins,cn=users,dc=xxx,dc=local

        cn=domain guests,cn=users,dc=xxx,dc=local

        cn=dnsadmins,cn=users,dc=xxx,dc=local

        cn=administrators,cn=builtin,dc=xxx,dc=local

I want to know what's the action when I use the command :"debug user-id refresh/reset group-mapping all " ?

Hello ZongguoWei,

>debug user-id refresh group-mapping all  (non-intrusive command)

This command will only fetch the delta/ difference value from the active directory

> debug user-id reset group-mapping all  (intrusive command)

This command will query the active directory server to re-build the user-group mappings from scratch.

How the does the reverse lookup work ? I mean do the groups show up when do a lookup for a username?

The command you would use to do that would be:

> show user user-IDs match-user jdoe

Thanks and regards,

Kunal Adak

Yes, I have tried this command, It display as below:

    show user group name ?

  <value>  Show group's members

If I type a group name as:xxx\xxx or "cn=xxx, cn=xxx,dc=xxx,dc=xxx". It will display:"User group 'xxx\xxx' does not exist or does not have members"

I have done some other test. I unchecked the "enable" option in the group mapping list and commit the configuration, then selected the option and click the "commit" link. At this time, I use the command "show user group name ?", many user group name will display.

If I use the command "debug user-id refresh/reset group-mapping all", the "?" will not display  any group name.

I don't know how to it works ?

From PAN 5.0.10 fixes log:

57816—Groups were not displayed in the Allow List dropdown selection of an

Authentication Profile. This was due to changes made for an issue addressed in PAN-

OS 5.0.7 (49237). This issue has been fixed so that groups are displayed in the Allow

List dropdown selection of an Authentication Profile for single-vsys devices.

Maybe it will be usefull for You

Regards

SLawek