000038367 - When Active Directory is integrated using Winbind, group membership for Active Directory users fails with the RSA Authentication Agent for PAM

Document created by RSA Customer Support Employee on Jan 22, 2020Last modified by RSA Customer Support Employee on Jan 22, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038367
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
  • The RSA Authentication Agent for PAM is configured to challenge Active Directory users according to their AD group membership on a Linux operating system. 
  • The agent is integrated with Active Directory using Winbind.
  • Winbind fails to retrieve the group membership of AD users and thus, fails to challenge them for SecurID authentication. 

CauseThe RSA Authentication Agent for PAM uses the getgrent() system call to return the group membership. If Winbind is not configured properly, the system call returns an empty list. You can test this using the command getent group <group_name>

A working configuration looks something like the example below:

[root@rhel7 ~]# getent group ad_group

A failed configuration returns the ad_group value but not the users, as shown: 

[root@rhel7 ~]# getent group ad_group
ResolutionConfiguration changes must be made to Winbind for the group membership to return correctly. Follow the steps below:
  1. As the root user, open the config file /etc/samba/smb.conf using a text editor. 
  2. Find the section #--authconfig--end-line--.
  3. Add the line winbind expand groups = 1 above #--authconfig--end-line--:

    winbind expand groups = 1

  4. Check that the smb.conf file is free of any syntax errors by running the command testparm:

    [root@rhel7 ~]# testparm
    Load smb config files from /etc/samba/smb.conf
    Processing section "[homes]"
    Processing section "[printers]"
    Processing section "[tmp]"
    Processing section "[html]"
    Loaded services file OK.

  5. Restart the winbind service:

    [root@rhel7 ~]# service winbind restart

  6. Test that the change resolved the issue by running getent group <group_name>:

    [root@rhel7 ~]# getent group ad_group