Users and group mapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Users and group mapping

L2 Linker
Hello everybody!


Sometimes users' group memberships are not recognized by the firewall integrated user id agent. In the useridd.log we see this message:


2019-03-29 10:12:45.317 +0100 Warning: pan_user_group_user_prime_uid_lookup(pan_user_group_multi_attr.c:1314): For tierkonet\adisfo user, domain tierkonet does not exist in group-mapping

It says that the domain tierkonet does not exist in the group mappi g, but it does exist, that domain was configured.


Thanks in advance for any suggestion
6 REPLIES 6

Cyber Elite
Cyber Elite

hi @Bittereinder 

 

Group memberships are fetched through the ldap server profile, not through the User-ID agent

Did you configure the group mapping (device > User-ID > group mapping) to include a domain?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello, Reaper,

 

I've taken a look with show user group-mapping state all

 and I see: Number of groups: 1570 

A domain is configured, and I see one group mapping of type "active-directory".

 

What else should I look at?

Thanks!

 

Hey @Bittereinder ,

 

Did you solve this one? I saw similar logs on my firewall.

 

2020-11-20 16:08:01.115 +0100 Warning: pan_user_group_user_prime_uid_lookup(pan_user_group_multi_attr.c:1295): For alex user, user-domain is not present in group-mapping
2020-11-20 16:08:01.115 +0100 Warning: pan_user_group_user_prime_uid_lookup(pan_user_group_multi_attr.c:1295): For sash user, user-domain is not present in group-mapping

Did you find the resolution to this? 

I am having the same issue.

for a single domain:

did you add a (netbios!) domain in the server profile under group mapping (device > User Identification > Group Mapping > Server Profile)

 

which User and Group Attributes did you set?

 

for a multidomain forest:

have you tried setting the LDAP profile to use the global catalog port and removed the domain in group mapping or made multipe group mapping profiles to match all the domains?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L0 Member

User and Group Attributes did you set?

Below are some blogs that I am interested in:

Name:The best air rifle for the money

 

  • 6607 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!