When Active Directory is integrated using Winbind, group membership for Active Directory users fails with the RSA Authentication Agent for PAM
Originally Published: 2020-01-21
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
Issue
- The RSA Authentication Agent for PAM is configured to challenge Active Directory users according to their AD group membership on a Linux operating system.
- The agent is integrated with Active Directory using Winbind.
- Winbind fails to retrieve the group membership of AD users and thus, fails to challenge them for SecurID authentication.
Cause
A working configuration looks something like the example below:
[root@rhel7 ~]# getent group ad_group ad_group:x:16777224:user1,user2,user3,user4
A failed configuration returns the ad_group value but not the users, as shown:
[root@rhel7 ~]# getent group ad_group ad_group:x:16777224:
Resolution
- As the root user, open the config file /etc/samba/smb.conf using a text editor.
- Find the section #--authconfig--end-line--.
- Add the line winbind expand groups = 1 above #--authconfig--end-line--:
... winbind expand groups = 1 #--authconfig--end-line--
- Check that the smb.conf file is free of any syntax errors by running the command testparm:
[root@rhel7 ~]# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK.
- Restart the winbind service:
[root@rhel7 ~]# service winbind restart
- Test that the change resolved the issue by running getent group <group_name>:
[root@rhel7 ~]# getent group ad_group ad_group:x:16777224:user1,user2,user3,user4
Related Articles
Integrate Citrix NetScaler with RSA Authentication Manager 8.x Number of Views RSA PAM Authentication Agent cannot challenge users in Active Directory groups Number of Views View User Group Memberships for a User in the User Dashboard Number of Views HTTP 404 or HTTP 405 error when using Integrated Windows Authentication (IWA) with the RSA SecurID Access Cloud Authentica… Number of Views How to integrate SWIFT Alliance Access with RSA Authentication Manager using RADIUS protocol Number of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 Downloading RSA Authentication Manager license files or RSA Software token seed records AFX Server remains in a 'Not running' State, afx status shows 'timed out waiting for AFX applications to start' and mule_e… RSA Authentication Manager 8.7 SP1 Patch 1 Hotfix 1 RSA Authentication Manager 8.8 Security Configuration Guide
Don't see what you're looking for?
