This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD membership sync - particular group - syncs also account outside that group

Hello,

as the subject says, I have an issue with AD group sync. There is one user account that have been a member of the group I am syncing from AD in the past but now it is not - it's been verified by at least 2 pairs of eyes.

When I trigger manual sync from AD, sophos writes to log which accounts have been synced. Obviously, the account in question is not in the list (i.e. Sophos did not write a single line into log about it while syncing).

My question would be - why is that user still in my Sophos and how come Sophos boldly shows that it is still member of said group? See attached image.

Manual sync has been triggered like 15times already and automatic runs every day. Also, the user is not a member of the group since months if not years.

Thank you for any hint in advance, take care.



This thread was automatically locked due to age.
Parents
  • Ahoj,

    A user object is not deleted from the UTM if the user is deleted in AD.  How do you know that the UTM still considers this user to be a member of the AD Backend Group - what do you see that leads you to that conclusion?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello BAlfson,

    your feedback is much appreciated. To prove my statements, shortly about the problem being solved:

    There is a clerk in the shopfloor who certainly shouldn't be able to access the internet. Yet, he is and I am twisting my head around why. There is a transparent proxy that ALLOWS the users or REJECTS them in terms of internet access based on AD group membership.

    The group used for internet access is called GLB_U_S_InternetAccess

    When I list the "MemberOf" in ActiveDirectory, the user is member of 6 groups, yet none of them is GLB_U_S_InternetAccess. This change has been done ages ago (user has been removed). From AD side, all clear then.

    When I ask Sophos, whether this user does have internet access, the user does have access indeed:

    Internet access test

    Let's take a look into the policy: 

    And also at the user group:

    And let's take a look at the user details:

    If you want, I can also share the screenshot of the "Member Of" attribute of the user from AD, I however hope I am not that goofy to not see GLB_U_S_InternetUsers among 6 other groups.

    My presumption was: I have an AD group and with that group, I can manage who can and cannot access the internet. It worked till I met this peculiar account.

    Thank you in advance BAlfson for your expert-insight, take care.

  • FormerMember
    0 FormerMember in reply to szcz7977

    Hi ,

    If you take tcpdump -s0 for 389(LDAP) and the IP of the AD server authenticating that user, you should see the memberOf response from the server to confirm which group that AD server is telling the UTM the user is part of. The packet capture and Wireshark should show all of that as long as you are not using LDAP over SSL(636). Or you could also maybe do a manual synchronization of AD group membership from Definition & Users > Authentication Services > Advanced
    and check the logs; maybe that will show some information. 

    Thanks,

Reply
  • FormerMember
    0 FormerMember in reply to szcz7977

    Hi ,

    If you take tcpdump -s0 for 389(LDAP) and the IP of the AD server authenticating that user, you should see the memberOf response from the server to confirm which group that AD server is telling the UTM the user is part of. The packet capture and Wireshark should show all of that as long as you are not using LDAP over SSL(636). Or you could also maybe do a manual synchronization of AD group membership from Definition & Users > Authentication Services > Advanced
    and check the logs; maybe that will show some information. 

    Thanks,

Children
No Data