Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 12 subscribers
  • Views 36545 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Directory Services synchronization (SSO & AD)

henry08
Some people have been having issues with SSO and AD synchronization.  I'm just reporting my issue and to document.

2 x UTM525's in HA.  We're using SSO for users, all the goodies, web filtering, email, VPN, user portal.

After upgrading to 9.313-3 on Tuesday started getting the below alerts.  Our UTM service account keeps getting locked out about every 2 hours on the dot.

Error message:
---------------------
[WARN-531] Directory Services synchronization
There was an error synchronizing subscribed groups. The Sophos UTM will continue to operate with a locally cached copy of the data but will be unable to update from Directory Services until the issue is resolved.

Error was:
failed to run samba command on domain.com, exiting now
--------------------

Tried un-joining and re-joining UTM to our domain, still have issues.  Tests on server settings come back fine.  User authenticate test come back fine.

So anyone else having this issue as well?  Waiting for Sophos support to call back to help troubleshoot.  A little off-topic/rant but Sophos support REALLY needs some improvement.  It takes like 20-30 minutes just to put a ticket in and I've been waiting for over 90 minutes for an engineer call back (after being told I would get a call back in 30 minutes).


This thread was automatically locked due to age.
  • 0
    Did you un-join by trying to join with incorrect credentials from within WebAdmin?

    I think we're getting near the end of the issues that began last year, but you might try a restore of the config backup created before the Up2Date.  If that doesn't resolve the issue, you might try rebooting the Slave, waiting until it has synced and then rebooting the Master.

    There was supposed to be a fix in 9.313 for a false alarm of this notification.  Did you check to see if the groups are updated?  If so, and none of the above helped, maybe the fix didn't get into 9.313.  You could try Up2Dating to 9.315 or just disabling the 531 notification until you're ready.

    Cheers - Bob
    PS The fastest way to get help if you have Premium Support is to submit a case in MyUTM.  Next fastest is email.  Slowest is calling.  Using Standard Support and working with a knowledgeable Sophos Solution Partner is the fastest as many issues can be addressed in a quick conversation or email.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
     Did you un-join by trying to join with incorrect credentials from within WebAdmin? 

    Ya, I did try unjoining with incorrect credentials and then re-join by using the correct credentials.  This works for a while and then on the dot every 2 hours the service account locks out.

    So after talking with Support, it appears that there is still an issue.  Sophos said they have a patch and they tried installing it but it's still not working.  Previous to 9.313 I was not having a problem.  We updated to 9.313 and then they had me update to 9.314 and still the same issue.  I'm also told 9.315 will not fix the issue either.

    I think we're getting near the end of the issues that began last year, but you might try a restore of the config backup created before the Up2Date.  If that doesn't resolve the issue, you might try rebooting the Slave, waiting until it has synced and then rebooting the Master.

    There was supposed to be a fix in 9.313 for a false alarm of this notification.  Did you check to see if the groups are updated?  If so, and none of the above helped, maybe the fix didn't get into 9.313.  You could try Up2Dating to 9.315 or just disabling the 531 notification until you're ready.


    I've gone through several reboots in addition to also trying firmware updates.  My issue does not seem to be false alarms because the service account does indeed get locked out and Support confirms there is indeed an issue.  They have the "DEV" team working on this for us.

    Cheers - Bob
    PS The fastest way to get help if you have Premium Support is to submit a case in MyUTM.  Next fastest is email.  Slowest is calling.  Using Standard Support and working with a knowledgeable Sophos Solution Partner is the fastest as many issues can be addressed in a quick conversation or email.


    Thanks Bob, I agree 100% Premium support we usually get decent response although I think they can improve.  I also wanted to document this issue for the group in case it helps anyone else.
    -H
  • 0

    I'm having the same issue. Every 2 hours it reports this fault. Nothing has changed on AD and we simply use a read only service account.

    It's only started happening in the last few weeks, possibly after we updated to the latest version. (using 2x SG310's)

  • 0

    Hi Henry,

    I request you to open a case with our support team and point them the bug ID "NUTM-2131". As there was no duplicate instance reported from other customers the ID was rejected a solution.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I am having this same problem since this weekend, 5/14/17

     

    Firmware version: 9.413-4
    Pattern version: 125899

  • 0 in reply to Mark Davis

    I thing in this version is a BUG with the transparent mode und SSO (NUTM-7960)

    change to standard mode and check again.

    br McWolle

    Br McWolle

    Sophos Certified Engineer (SCE)
    Sophos Certified Architect (SCA)

  • 0 in reply to BAlfson
    After updating to firmware 9.413-4 and 9.501-5 last night, I have started seeing this message every two hours starting at 4:39 AM. I applied the last firmware update at 8:45 PM on 6/13/2017.
    Pattern Version: 127636.
     
    Regards,
  • +2 in reply to Eric Cowen

    I received the same messages after Up2Dating to 9.414.  The Fallback log indicated failed to run samba command on our AD server.  The fix was to unjoin/rejoin on the 'Single Sign-On' tab.  Break the join by using incorrect credentials and then use valid credentials to rejoin.  Did that resolve your issue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I entered in my credentials and the error went away. I would have seen the error at 10:39 AM and there were no more errors. By the way I did not have to enter incorrect credentials. I just had to re-enter them.

    Thanks.

  • 0 in reply to BAlfson

    This solution worked for me too. I ran the update to 9.501-5 and after 6 hours got the first error, then every two hours.

    Thank you!

     

    Best Regards - Alberto

Unfiltered HTML