When Active Directory is integrated using Winbind, group membership for Active Directory users fails with the RSA Authentication Agent for PAM
Originally Published: 2020-01-21
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
Issue
- The RSA Authentication Agent for PAM is configured to challenge Active Directory users according to their AD group membership on a Linux operating system.
- The agent is integrated with Active Directory using Winbind.
- Winbind fails to retrieve the group membership of AD users and thus, fails to challenge them for SecurID authentication.
Cause
A working configuration looks something like the example below:
[root@rhel7 ~]# getent group ad_group ad_group:x:16777224:user1,user2,user3,user4
A failed configuration returns the ad_group value but not the users, as shown:
[root@rhel7 ~]# getent group ad_group ad_group:x:16777224:
Resolution
- As the root user, open the config file /etc/samba/smb.conf using a text editor.
- Find the section #--authconfig--end-line--.
- Add the line winbind expand groups = 1 above #--authconfig--end-line--:
... winbind expand groups = 1 #--authconfig--end-line--
- Check that the smb.conf file is free of any syntax errors by running the command testparm:
[root@rhel7 ~]# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[tmp]" Processing section "[html]" Loaded services file OK.
- Restart the winbind service:
[root@rhel7 ~]# service winbind restart
- Test that the change resolved the issue by running getent group <group_name>:
[root@rhel7 ~]# getent group ad_group ad_group:x:16777224:user1,user2,user3,user4
Related Articles
RSA PAM Authentication Agent cannot challenge users in Active Directory groups Number of Views View User Group Memberships for a User in the User Dashboard Number of Views Is there a tool to test your SID800 PIN with RSA Middleware? Number of Views Is there a list of KCA error messages and their definitions? Number of Views Integrate Citrix NetScaler with RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Troubleshooting RSA SecurID Access Application Portal unsuccessful logon message due to a bad identity source bind RSA Release Notes: Cloud Access Service and RSA Authenticators RSA Authentication Manager Upgrade Process
Don't see what you're looking for?
