whitelistCMD 1 Posted October 17, 2019 Share Posted October 17, 2019 (edited) Hello, I'm currently running ESMC 7.0.471.0 and I have two mapped domain security groups that I use in order to apply different permission sets dependent upon the persons role. The current two groups are eset admins and eset users. I have one employee who currently exists in the users group. I'm now trying to give him admin permissions. I have removed him from our eset users group in AD, and then added him to the eset admins group. I then ran users sync task in ESMC, to make sure it had the current groups (I didn't know if this step should be involved or not? since I'm looking for AD Group Membership and not at an OU change). However, when the employee logs into ESMC, they still have the user permission set. I then tried removing the employee from both the eset user and eset admins groups in AD, re-ran the user sync task, and the employee can still login to the console. The only way I can prevent them from logging in is by disabling their account in AD, or removing the eset users mapped security domain group from ESMC. Does anyone have any insight into where to look when diagnosing this issue? I'm kind of at a loss here. My ESMC sync tasks look ok, and they are successful, but it seems like the console is not updating AD group membership status. Any help is appreciated. Thanks! Also, our ESMC console is a virtual appliance running on CentOS 6. My apologies for forgetting to mention that earlier. Edited October 17, 2019 by whitelistCMD Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted October 18, 2019 ESET Staff Share Posted October 18, 2019 Hello, If you are using the old ESMC 7.0 VA, it uses the Samba/Winbind to synchronize domain groups. It´s possible that this part is not correctly synced with AD. You can execute a command "wbinfo", if the user is corrently referenced in the domain: wbinfo --user-domgroups <username SID>”. This command will return the SIDs of groups where the user belongs. If it returns the old list, problem will be here. In the upcoming ESMC 7.1 (to be released in mid-November), we have adjusted the way how domain users are authenticated, where Samba/Winbind will no longer be used. That would be the recommended solution. Regards, Michal Link to comment Share on other sites More sharing options...
whitelistCMD 1 Posted October 24, 2019 Author Share Posted October 24, 2019 Thank you for your reply, Michal. I appreciate the info. I'll respond if issue cannot be resolved or if things do not change after the 7.1 update. Link to comment Share on other sites More sharing options...
Recommended Posts