Jump to content
whitelistCMD

Mapped Domain Security Group - Not recognizing user change

Recommended Posts

Hello,

I'm currently running ESMC 7.0.471.0 and I have two mapped domain security groups that I use in order to apply different permission sets dependent upon the persons role. The current two groups are eset admins and eset users. I have one employee who currently exists in the users group. I'm now trying to give him admin permissions. I have removed him from our eset users group in AD, and then added him to the eset admins group. I then ran users sync task in ESMC, to make sure it had the current groups (I didn't know if this step should be involved or not? since I'm looking for AD Group Membership and not at an OU change). However, when the employee logs into ESMC, they still have the user permission set. I then tried removing the employee from both the eset user and eset admins groups in AD, re-ran the user sync task, and the employee can still login to the console. The only way I can prevent them from logging in is by disabling their account in AD, or removing the eset users mapped security domain group from ESMC. Does anyone have any insight into where to look when diagnosing this issue? I'm kind of at a loss here. My ESMC sync tasks look ok, and they are successful, but it seems like the console is not updating AD group membership status. Any help is appreciated. Thanks!

Also, our ESMC console is a virtual appliance running on CentOS 6. My apologies for forgetting to mention that earlier.

Edited by whitelistCMD

Share this post


Link to post
Share on other sites

Hello, 

If you are using the old ESMC 7.0 VA, it uses the Samba/Winbind to synchronize domain groups. It´s possible that this part is not correctly synced with AD. You can execute a command "wbinfo", if the user is corrently referenced in the domain: wbinfo --user-domgroups <username SID>”. This command will return the SIDs of groups where the user belongs. If it returns the old list, problem will be here. 

In the upcoming ESMC 7.1 (to be released in mid-November), we have adjusted the way how domain users are authenticated, where Samba/Winbind will no longer be used. That would be the recommended solution. 

Regards,
Michal 

 

Share this post


Link to post
Share on other sites

Thank you for your reply, Michal. I appreciate the info. I'll respond if issue cannot be resolved or if things do not change after the 7.1 update.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...