Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000038367 - When Active Directory is integrated using Winbind, group membership for Active Directory users fails with the RSA Authentication Agent for PAM

Document created by RSA Customer Support

on Jan 22, 2020•Last modified by RSA Customer Support

on Jan 22, 2020

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000038367
Applies To	RSA Product Set: SecurID RSA Product/Service Type: Authentication Agent for PAM
Issue	The RSA Authentication Agent for PAM is configured to challenge Active Directory users according to their AD group membership on a Linux operating system. The agent is integrated with Active Directory using Winbind. Winbind fails to retrieve the group membership of AD users and thus, fails to challenge them for SecurID authentication.
Cause	The RSA Authentication Agent for PAM uses the getgrent() system call to return the group membership. If Winbind is not configured properly, the system call returns an empty list. You can test this using the command getent group <group_name>. A working configuration looks something like the example below: [root@rhel7 ~]# getent group ad_group ad_group:x:16777224:user1,user2,user3,user4 A failed configuration returns the ad_group value but not the users, as shown: [root@rhel7 ~]# getent group ad_group ad_group:x:16777224:
Resolution	Configuration changes must be made to Winbind for the group membership to return correctly. Follow the steps below: As the root user, open the config file /etc/samba/smb.conf using a text editor. Find the section #--authconfig--end-line--. Add the line winbind expand groups = 1 above #--authconfig--end-line--: ... winbind expand groups = 1 #--authconfig--end-line-- Check that the smb.conf file is free of any syntax errors by running the command testparm: [root@rhel7 ~]# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK. Restart the winbind service: [root@rhel7 ~]# service winbind restart Test that the change resolved the issue by running getent group <group_name>: [root@rhel7 ~]# getent group ad_group ad_group:x:16777224:user1,user2,user3,user4

Attachments

Outcomes

0 Comments

Recommended Content