Using the gateway to add users to local groups

1379 views
Skip to first unread message

Sandy

unread,
Mar 8, 2013, 10:02:16 AM3/8/13
to pgina-...@googlegroups.com
I'm trying to add users from the LDAP group pGina to the local administrators group but getting failures after succesful LDAP authentication. Also it looks like from the log its trying to mirror LDAP groups even though I have that unchecked in the config.
 
heres the log any help would be appreciated.
 
****
**** Simulated login starting: Friday, March 08, 2013 7:26:45 AM
**** pGina Version:  3.1.7.1
**** Enabled plugins:
****     Authentication: LDAP, Local Machine
****     Authorization: LDAP, Local Machine
****     Gateway: LDAP, Local Machine
****     Notification:
****
2013-03-08 07:26:45,846 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: New PluginDriver created
2013-03-08 07:26:45,862 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Begin login chain, 1 stateful plugin(s).
2013-03-08 07:26:45,862 [1|DEBUG] LdapPlugin: BeginChain
2013-03-08 07:26:45,862 [1|DEBUG] LdapServer: Initializing LdapServer host(s): [ldap.server.com], port: 636, useSSL = True, verifyCert = False
2013-03-08 07:26:45,862 [1|DEBUG] LdapServer: Timeout set to 10 seconds.
2013-03-08 07:26:45,862 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Performing login process
2013-03-08 07:26:45,877 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Authenticating user username, 2 plugins available
2013-03-08 07:26:45,877 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Calling 0f52390b-c781-43ae-bd62-553c77fa4cf7
2013-03-08 07:26:45,877 [1|DEBUG] LdapPlugin: AuthenticateUser(a896c2b1-98da-42dd-90d8-dc7476809013)
2013-03-08 07:26:45,877 [1|DEBUG] LdapPlugin: Received username: username
2013-03-08 07:26:45,877 [1|DEBUG] LdapPlugin: Attempting authentication for username
2013-03-08 07:26:45,877 [1|DEBUG] LdapServer: Attempting bind as domain\ServicepGina
2013-03-08 07:26:47,049 [1|DEBUG] LdapServer: VerifyCert(...)
2013-03-08 07:26:47,049 [1|DEBUG] LdapServer: Verifying certificate from host: ldap.server.com
2013-03-08 07:26:47,049 [1|DEBUG] LdapServer: Server certificate accepted without verification.
2013-03-08 07:26:47,237 [1|DEBUG] LdapServer: Successful bind to ldap.server.com as domain\ServicepGina
2013-03-08 07:26:47,237 [1|DEBUG] LdapServer: Searching for DN using filter (&(objectClass=user)(sAMAccountName=username))
2013-03-08 07:26:47,237 [1|DEBUG] LdapServer: Searching context OU=Administrative Accounts,DC=domain,DC=com
2013-03-08 07:26:47,440 [1|DEBUG] LdapServer: Searching context OU=Users and Groups,DC=domain,DC=com
2013-03-08 07:26:47,627 [1|DEBUG] LdapServer: Searching context OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:48,034 [1|DEBUG] LdapServer: Found DN: CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:48,034 [1|DEBUG] LdapServer: Attempting to bind with DN CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:48,034 [1|DEBUG] LdapServer: Attempting bind as CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:48,252 [1|DEBUG] LdapServer: Successful bind to ldap.server.com as CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:48,252 [1|DEBUG] LdapServer: LDAP DN CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com successfully bound to server, return success
2013-03-08 07:26:48,252 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: 0f52390b-c781-43ae-bd62-553c77fa4cf7 Succeeded
2013-03-08 07:26:48,252 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Calling 12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d
2013-03-08 07:26:48,252 [1|DEBUG] LocalMachine: AuthenticateUser(a896c2b1-98da-42dd-90d8-dc7476809013)
2013-03-08 07:26:48,252 [1|DEBUG] LocalMachine: Found username: username
2013-03-08 07:26:48,268 [1|INFO ] LocalMachine: Authenticated user: username
2013-03-08 07:26:48,268 [1|DEBUG] LocalMachine: AuthenticateUser: Mirroring group membership from SAM
2013-03-08 07:26:52,909 [1|ERROR] LocalAccount.SyncLocalGroupsToUserInfo: Unexpected error while syncing local groups, skipping rest: System.Runtime.InteropServices.COMException (0x80070035): The network path was not found.
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign()
   at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
   at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
   at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.System.Collections.IEnumerator.MoveNext()
   at pGina.Plugin.LocalMachine.LocalAccount.IsUserInGroup(UserPrincipal user, GroupPrincipal group)
   at pGina.Plugin.LocalMachine.LocalAccount.GetGroups(UserPrincipal user)
   at pGina.Plugin.LocalMachine.LocalAccount.SyncLocalGroupsToUserInfo(UserInformation userInfo)
2013-03-08 07:26:52,909 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: 12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d Succeeded
2013-03-08 07:26:52,909 [1|INFO ] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Successfully authenticated username
2013-03-08 07:26:52,909 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Authorizing user username, 2 plugins available
2013-03-08 07:26:52,909 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Calling 0f52390b-c781-43ae-bd62-553c77fa4cf7
2013-03-08 07:26:52,909 [1|DEBUG] LdapPlugin: LDAP Plugin Authorization
2013-03-08 07:26:52,909 [1|DEBUG] LdapServer: Attempting bind as domain\ServicepGina
2013-03-08 07:26:53,112 [1|DEBUG] LdapServer: Successful bind to ldap.server.com as domain\ServicepGina
2013-03-08 07:26:53,112 [1|DEBUG] LdapServer: Attempting to generate DN for user username
2013-03-08 07:26:53,112 [1|DEBUG] LdapServer: Attempting bind as domain\ServicepGina
2013-03-08 07:26:53,299 [1|DEBUG] LdapServer: Successful bind to ldap.server.com as domain\ServicepGina
2013-03-08 07:26:53,299 [1|DEBUG] LdapServer: Searching for DN using filter (&(objectClass=user)(sAMAccountName=username))
2013-03-08 07:26:53,299 [1|DEBUG] LdapServer: Searching context OU=Administrative Accounts,DC=domain,DC=com
2013-03-08 07:26:53,502 [1|DEBUG] LdapServer: Searching context OU=Users and Groups,DC=domain,DC=com
2013-03-08 07:26:53,690 [1|DEBUG] LdapServer: Searching context OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:53,893 [1|DEBUG] LdapServer: Found DN: CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:53,909 [1|DEBUG] LdapServer: Searching for group membership, DN: cn=pGina,ou=Test Group,ou=Group One,ou=Users and Groups Exceptions,dc=domain,dc=com  Filter: (member=CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com)
2013-03-08 07:26:54,096 [1|DEBUG] LdapPlugin: User username is member of group pGina
2013-03-08 07:26:54,096 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Calling 12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d
2013-03-08 07:26:54,096 [1|INFO ] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Successfully authorized username
2013-03-08 07:26:54,096 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Processing gateways for user username, 2 plugins available
2013-03-08 07:26:54,096 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Calling 0f52390b-c781-43ae-bd62-553c77fa4cf7
2013-03-08 07:26:54,096 [1|DEBUG] LdapPlugin: LDAP Plugin Gateway
2013-03-08 07:26:54,112 [1|DEBUG] LdapServer: Attempting bind as domain\ServicepGina
2013-03-08 07:26:54,299 [1|DEBUG] LdapServer: Successful bind to ldap.server.com as domain\ServicepGina
2013-03-08 07:26:54,299 [1|DEBUG] LdapServer: Attempting to generate DN for user username
2013-03-08 07:26:54,299 [1|DEBUG] LdapServer: Attempting bind as domain\ServicepGina
2013-03-08 07:26:54,502 [1|DEBUG] LdapServer: Successful bind to ldap.server.com as domain\ServicepGina
2013-03-08 07:26:54,502 [1|DEBUG] LdapServer: Searching for DN using filter (&(objectClass=user)(sAMAccountName=username))
2013-03-08 07:26:54,502 [1|DEBUG] LdapServer: Searching context OU=Administrative Accounts,DC=domain,DC=com
2013-03-08 07:26:54,690 [1|DEBUG] LdapServer: Searching context OU=Users and Groups,DC=domain,DC=com
2013-03-08 07:26:54,877 [1|DEBUG] LdapServer: Searching context OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:55,096 [1|DEBUG] LdapServer: Found DN: CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com
2013-03-08 07:26:55,096 [1|DEBUG] LdapServer: Searching for group membership, DN: cn=pGina,ou=Test Group,ou=Group One,ou=Users and Groups Exceptions,dc=domain,dc=com  Filter: (member=CN=Last\, First,OU=Site,OU=Test Group,OU=Group One,OU=Users and Groups Exceptions,DC=domain,DC=com)
2013-03-08 07:26:55,284 [1|DEBUG] LdapPlugin: User username is member of group pGina
2013-03-08 07:26:55,284 [1|INFO ] LdapPlugin: Adding user username to local group Administrators, due to rule "If member of LDAP group "pGina" add to local group "Administrators""
2013-03-08 07:26:55,284 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: Calling 12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d
2013-03-08 07:26:55,315 [1|DEBUG] LocalMachine: AuthenticatedUserGateway(a896c2b1-98da-42dd-90d8-dc7476809013) for user: username
2013-03-08 07:26:55,315 [1|DEBUG] LocalAccount[username]: SyncToLocalUser()
2013-03-08 07:26:55,565 [1|DEBUG] LocalAccount[username]: Checking for groups to remove.
2013-03-08 07:26:55,596 [1|ERROR] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: 12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d Failed to process gateway for username message: Unable to sync users local group membership: System.Runtime.InteropServices.COMException (0x80070035): The network path was not found.
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRefToPrincipal(Object o)
   at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign()
   at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
   at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
   at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.System.Collections.IEnumerator.MoveNext()
   at pGina.Plugin.LocalMachine.LocalAccount.IsUserInGroup(UserPrincipal user, GroupPrincipal group)
   at pGina.Plugin.LocalMachine.LocalAccount.GetGroups(UserPrincipal user)
   at pGina.Plugin.LocalMachine.LocalAccount.SyncToLocalUser()
2013-03-08 07:26:55,612 [1|DEBUG] PluginDriver:a896c2b1-98da-42dd-90d8-dc7476809013: End login chain, 1 stateful plugin(s).
2013-03-08 07:26:55,612 [1|DEBUG] LdapPlugin: EndChain
2013-03-08 07:26:55,612 [1|DEBUG] LdapServer: Closing LDAP connection to ldap.server.com.

Sandy

unread,
Mar 12, 2013, 9:58:53 AM3/12/13
to pgina-general
Anybody have any ideas? I'm stumped by why its only when trying to add
the newly created local user account to the local Administrator
group.

thanks
> System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRef­ToPrincipal(Object
> o)
>    at
> System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign()
>    at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
>    at
> System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.Mo­veNext()
>    at
> System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.Sy­stem.Collections.IEnumerator.MoveNext()
>    at pGina.Plugin.LocalMachine.LocalAccount.IsUserInGroup(UserPrincipal
> user, GroupPrincipal group)
>    at pGina.Plugin.LocalMachine.LocalAccount.GetGroups(UserPrincipal user)
>    at
> pGina.Plugin.LocalMachine.LocalAccount.SyncLocalGroupsToUserInfo(UserInform­ation
> System.DirectoryServices.AccountManagement.SAMStoreCtx.ResolveCrossStoreRef­ToPrincipal(Object
> o)
>    at
> System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextForeign()
>    at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
>    at
> System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.Mo­veNext()
>    at
> System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.Sy­stem.Collections.IEnumerator.MoveNext()

David Wolff

unread,
Mar 13, 2013, 1:46:32 AM3/13/13
to pgina-...@googlegroups.com
Was the computer ever on a domain?   If so, are there any unresolved SIDs for group members?

David


--
You received this message because you are subscribed to the Google Groups "pgina-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pgina-genera...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



Sandy

unread,
Mar 13, 2013, 3:56:21 PM3/13/13
to pgina-general
I don't think I replied properly earlier.

It was on a domain but there are no orphaned SIDs.

It creates the local user just doesn't add the user to the local
groups

Looks like I'm missing the following lines from an un-successful
attempt.

2013-03-12 16:43:56,859 [1|DEBUG] LocalAccount[first.last]: Checking
for groups to add
2013-03-12 16:43:56,875 [1|DEBUG] LocalAccount[first.last]: Add
Administrators?
2013-03-12 16:43:57,484 [1|DEBUG] LocalAccount[first.last]: Adding
user first.last to group Administrators
2013-03-12 16:43:58,063 [1|DEBUG] LocalAccount[first.last]: End
SyncToLocalUser()


successful attempt
2013-03-12 16:43:55,250 [1|DEBUG] LdapPlugin: User first.last is
member of group pgina
2013-03-12 16:43:55,266 [1|INFO ] LdapPlugin: Adding user first.last
to local group Administrators, due to rule "If member of LDAP group
"pgina" add to local group "Administrators""
2013-03-12 16:43:55,281 [1|DEBUG] PluginDriver:0b4bff4a-9eb6-40e0-9324-
fd4c7796511d: Calling 12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d
2013-03-12 16:43:55,297 [1|DEBUG] LocalMachine: Marking for deletion:
first.last
2013-03-12 16:43:55,312 [1|DEBUG] LocalMachine:
AuthenticatedUserGateway(0b4bff4a-9eb6-40e0-9324-fd4c7796511d) for
user: first.last
2013-03-12 16:43:55,328 [1|DEBUG] LocalAccount[first.last]:
SyncToLocalUser()
2013-03-12 16:43:55,453 [1|DEBUG] LocalAccount[first.last]: Checking
for groups to remove.
2013-03-12 16:43:56,859 [1|DEBUG] LocalAccount[first.last]: Checking
for groups to add
2013-03-12 16:43:56,875 [1|DEBUG] LocalAccount[first.last]: Add
Administrators?
2013-03-12 16:43:57,484 [1|DEBUG] LocalAccount[first.last]: Adding
user first.last to group Administrators
2013-03-12 16:43:58,063 [1|DEBUG] LocalAccount[first.last]: End
SyncToLocalUser()
2013-03-12 16:43:58,078 [1|INFO ] PluginDriver:0b4bff4a-9eb6-40e0-9324-
fd4c7796511d: Successfully processed gateways for first.last
2013-03-12 16:43:58,109 [1|DEBUG] PluginDriver:0b4bff4a-9eb6-40e0-9324-
fd4c7796511d: End login chain, 1 stateful plugin(s).
2013-03-12 16:43:58,125 [1|DEBUG] LdapPlugin: EndChain
2013-03-12 16:43:58,125 [1|DEBUG] LdapServer: Closing LDAP connection
to ldap.server.com.

un successful attempt
2013-03-13 07:27:49,883 [1|DEBUG] LdapPlugin: User first.last is
member of group pGina
2013-03-13 07:27:49,883 [1|INFO ] LdapPlugin: Adding user first.last
to local group Users, due to rule "If member of LDAP group "pGina" add
to local group "Users""
2013-03-13 07:27:49,883 [1|DEBUG] PluginDriver:a9d6e9ea-90be-494e-9a1b-
d13dbe9f354f: Calling 12fa152d-a2e3-4c8d-9535-5dcd49dfcb6d
2013-03-13 07:27:49,899 [1|DEBUG] LocalMachine: Marking for deletion:
first.last
2013-03-13 07:27:49,914 [1|DEBUG] LocalMachine:
AuthenticatedUserGateway(a9d6e9ea-90be-494e-9a1b-d13dbe9f354f) for
user: first.last
2013-03-13 07:27:49,930 [1|DEBUG] LocalAccount[first.last]:
SyncToLocalUser()
2013-03-13 07:27:50,727 [1|DEBUG] LocalAccount[first.last]: Checking
for groups to remove.
2013-03-13 07:27:55,258 [1|INFO ] PluginDriver:a9d6e9ea-90be-494e-9a1b-
d13dbe9f354f: Successfully processed gateways for first.last
2013-03-13 07:27:55,258 [1|DEBUG] PluginDriver:a9d6e9ea-90be-494e-9a1b-
d13dbe9f354f: End login chain, 1 stateful plugin(s).
2013-03-13 07:27:55,258 [1|DEBUG] LdapPlugin: EndChain
2013-03-13 07:27:55,258 [1|DEBUG] LdapServer: Closing LDAP connection
> ...
>
> read more »- Hide quoted text -
>
> - Show quoted text -

dope...@gmail.com

unread,
Mar 26, 2013, 7:55:08 PM3/26/13
to pgina-...@googlegroups.com
I just played around with this too. I had to put LDAP module in front Local Machine module for the Gateway function.

Sandy

unread,
Apr 11, 2013, 7:04:39 AM4/11/13
to pgina-general
yeah I have LDAP first as well in the plugin order. Works on some
boxes but not all. Seems to fail about 3 out of 10 boxes I install it
on no idea why.

Jy Tan

unread,
Aug 22, 2017, 1:48:23 AM8/22/17
to pgina-general
I also happen to encounter the same, somehow it appears to be some hardening policy(not sure which one) that prevents pGina from creating local user, local groups, and adding the user into the group.
Reply all
Reply to author
Forward
0 new messages