PBIS cache not populating with group membership changes.
tfm217 opened this issue · 11 comments
Version: 9.1.551.2
OS/Distro: CentOS Linux release 7.7.1908 (Core)
Issue/Impact:
PBIS cache not populating with group membership changes. Similar to:
Logon is restricted via AllowGroups in sshd-config. Therefore, a user trying to authenticate via SSH needs to be in one of those groups. Sometimes, PBIS can't resolve users group membership completely. I've checked this via "list-groups-for-user". Occasionally, the groups returned will be an incomplete list. If the group necessary for SSH login is not detected, that user cannot SSH to the server.
Groups are not nested.
@server1:/opt/pbis/bin$ ./list-groups-for-user userid1
Number of groups found for user 'userid1' : 1
Group[1 of 1] name = domain^users (gid = 709362177)
^ The above user has an additional group which is not showing up. Clearing the adcache followed by performing this command will refresh the newest group listing:
./lsa authenticate-user --user <userid1>
- systemctl status lwsmd.service
`● lwsmd.service - BeyondTrust AD Bridge Service Manager
Loaded: loaded (/lib/systemd/system/lwsmd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2020-01-18 15:24:15 CST; 1 weeks 1 days ago
Process: 1346 ExecStart=/opt/pbis/sbin/lwsmd --start-as-daemon (code=exited, status=0/SUCCESS)
Main PID: 1444 (lwsmd)
Tasks: 319
Memory: 57.6M
CPU: 5min 22.473s
CGroup: /system.slice/lwsmd.service
├─1444 /opt/pbis/sbin/lwsmd --start-as-daemon
├─1492 lw-container lwreg
├─1574 lw-container eventlog
├─1623 lw-container netlogon
├─1684 lw-container lwio
├─1735 lw-container lsass
└─1794 lw-container reapsysl
`
2. /opt/pbis/bin/lwsm list
lwreg running (container: 1492) dcerpc stopped eventlog running (container: 1574) lsass running (container: 1735) lwio running (container: 1684) netlogon running (container: 1623) rdr running (io: 1684) reapsysl running (container: 1794) usermonitor stopped
3. /opt/pbis/domainjoin-cli query
Name = <Expected Server Hostname>
Domain = <DOMAIN>.LOCAL
Distinguished Name = <Expected Server full DN>
- pbis status
LSA Server Status:
Compiled daemon version: 9.1.0.551
Packaged product version: 9.1.551.2
Uptime: 8 days 21 hours 27 minutes 29 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: DOMAIN..LOCAL
Domain SID: S-1-5-21-2969903720-942575579-1557940661
Forest: DOMAIN.local
Site: <correct site name>
Online check interval: 300 seconds
[Trusted Domains: 1]
[Domain: <valid DOMAIN>]
DNS Domain: <DOMAIN>.local
Netbios name: <DOMAIN>
Forest name: <DOMAIN>.local
Trustee DNS name:
Client site name: <valid site name>
Domain SID: S-1-5-21-2969903720-942575579-1557940661
Domain GUID: 1fff25be-6837-4bf7-bfc6-4c0f778311a2
Trust Flags: [0x001d]
[0x0001 - In forest]
[0x0004 - Tree root]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: <Valid DC>.DOMAIN.local
DC Address: <Valid IP>
DC Site: <correct site>
DC Flags: [0x0000f1fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: <Server>.<domain>.local
GC Address: 10.2.12.6
GC Site: <correct site>
GC Flags: [0x0000f1fc]
GC Is PDC: no
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
- /opt/pbis/bin/enum-users
(Full output too long)
TotalNumUsersFound: 16063
- attach logs
- /opt/pbis/bin/lwsm set-log-target -p lsass - file /tmp/lsass.log
- /opt/pbis/bin/lwsm set-log-level -p lsass - debug
- attach log
Output/Error:
Steps to Reproduce:
- install command:
wget -O - http://repo.pbis.beyondtrust.com/apt/RPM-GPG-KEY-pbis|sudo apt-key add -
sudo wget -O /etc/apt/sources.list.d/pbiso.list http://repo.pbis.beyondtrust.com/apt/pbiso.list
sudo apt-get update
sudo apt-get install pbis-open
- Domainjoin command
domainjoin-cli join --ou "" DOMAIN.local <domain.user>
- Command that returns issue:
list-groups-for-user userid1
^ Occasionally returns less than the full list of groups
Login fails for user if the groups are not being reflected using the above commands but are necessary for authentication (Logon is restricted by group via AllowGroups in sshd-config).
Updated some further details around the Output / Error / Steps to Reproduce.
Same here aslo for zorin/ubuntu:
➜ ~ lsb_release -a
No LSB modules are available.
Distributor ID: Zorin
Description: Zorin OS 15.2
Release: 15
Codename: bionic
Are the groups returned with the id command? Does enum-groups return the groups in question?
Are the groups returned with the id command? Does enum-groups return the groups in question?
Hi,
When I use the id command in this format:
id user1
I receive a list of only two groups. The user has 20+ groups.
If I use the enum-groups command, and use grep to filter out the group I need (a group assigned to user1) I can see that group in the output. However that group does not appear when I run 'id user1'.
Are the groups returned with the id command? Does enum-groups return the groups in question?
Please let me know if any further information can be helpful in identifying the issue. Appreciate any help!
tfm217
I am having the same issues in Ubuntu 16.04 TLS. Hope this can be rechecked and fixed soon.
Same issue on Debian10
In the mean time we have disabled cache: NssGroupMembersQueryCacheOnly false
Still continuing to have this issue.
Basically unless id returns the full list of groups, I can't get authentication to work correctly because it requires this information to either permit or allow SSH login (SSHD).
If I use this command, the server temporarily allows results with the 'id' command, and allows SSH authentication:
/opt/pbis/bin/enum-groups --level 1
But this data does not last and soon after, the issue returns. (also if I restart lwsmd.service, or reboot the box)
We have had a few instances where disabling NssGroupMembersQueryCacheOnly resolves most of their issues.
/opt/pbis/bin/config NssGroupMembersQueryCacheOnly false
Got the same problem but with a little different environment. Most groups are missing from the "id" output because they are only enumerated when in online mode.
While in Home-Office I need to setup vpn first to get back to online mode and after that a new "login" shell will return all groups - but in offline mode they are all missing - groups should be cached too if this is possible.