Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 3 subscribers
  • Views 23034 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD sync failing

Benjamin Zeller

Dear community,

 

since a couple of days we are experiencing issues with our AD sync and I'm looking for advise in troubleshooting this. Please bear with me, but I'm anything but good in using Sophos.

 

I can only start off with the error message which is:

 

Subject: [server name][WARN-531] Directory Services synchronization

There was an error synchronizing subscribed groups. The Sophos UTM will continue to operate with a locally cached copy of the data but will be unable to update from Directory Services until the issue is resolved.

 

Error was:

failed to run samba command on <ad-domain>, exiting now

       

--

System Uptime      : 2 days 15 hours 25 minutes

System Load        : 1.56

System Version     : Sophos UTM 9.413-4

 

Please refer to the manual for detailed instructions.

 

I would highly appreciate if someone can take me by the hand and guide me through.

 

Thanks in advance,

 

Ben



This thread was automatically locked due to age.
Parents
  • 0

    Update:

     

    Running /var/storage/chroot-http/usr/bin/ad-sync.plx -v  failed twice with errors pointing to user account. Interestingly enough, that's the user account which joined UTM to AD, not the one configured for sync.

     

    Running it a third time results in a successful sync.

    Any ideas?

     

    Out of curiousity: Any reason for the password being displayed in plain text?

  • 0 in reply to Benjamin Zeller

    Manual sync failed again, please find complete run result below:

     

     

    /var/storage/chroot-http/usr/bin/ad-sync.plx -v
    started
    running: /usr/sbin/net ads --request-timeout 45 -w '<AD-Domain>' -U '<user>'%'<pass>' dn '' 'defaultNamingContext' -p 3268
    kerberos_kinit_password <user>@<AD-Domain> failed: Clients credentials have been revoked
    kerberos_kinit_password <user>@<AD-Domain> failed: Clients credentials have been revoked
    error returned from samba command on <AD-Domain>
    running: /usr/sbin/net ads --request-timeout 45 -w '<AD-Domain>' -U '<user>%'<pass>' dn '' 'defaultNamingContext' -p 389
    kerberos_kinit_password <user>@<AD-Domain> failed: Clients credentials have been revoked
    kerberos_kinit_password <user>@<AD-Domain> failed: Clients credentials have been revoked
    error returned from samba command on <AD-Domain>
    failed to run samba command on <AD-Domain>, exiting now

     

     

  • +1 in reply to Benjamin Zeller

    So, it looks like the sync failed because the Password changed in AD for the Bind DN in your AD server definition in 'Authentication Services'.  Try changing the 'Bind DN' definition to a new user, uniquely used for the UTM, with administrative privileges that has "password never expires" selected.  Any better luck now?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob for your suggestion. However I fear that isn't our issue. The account being complained about is not the one used for syncing in the server definition but the account which was used to join UTM to AD.

    If it was the used sync account being complained about I'd be with you. Any other hint?

    Cheers,

    Ben

  • +1 in reply to Benjamin Zeller

    Then I'd un-join the UTM by using incorrect credentials on the 'Single Sign On' tab, and then rejoin with the correct credentials of the new user as suggested.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Would you expect any (user) impact while doing so? What would you suggest to do with the computer account in AD? Leave it where it is or delete at some point when re-joining?

  • +1 in reply to Benjamin Zeller

    We used to think that you had to delete the UTM account in AD, but that's no longer the case.

    The only impact would be on AD-SSO user authentication.  A user's IP is cached for 5 minutes.  If it takes you 12 seconds to unjoin and rejoin, users have a 4% chance of a rejection for not authenticating.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    Could you maybe provide me with a step by step incl. where to navigate? What kind of administrative permissions would you expect when saying the joining account would need those?

  • 0 in reply to BAlfson

    Also, what I still don't get: In the authentication configuration you have to enter a user. This was done and this is not the user which was used for domain join. We found that a failing sync is down to the account used for joining being locked out. But why is that user important when it's joined? What's the other user for then?

  • 0 in reply to Benjamin Zeller

    Although it's not practical, it's possible to join to do AD-SSO and not configure an AD server.  Likewise, it's possible to configure an authentication server for AD without joining.  My conclusion is not that the failing sync was caused by the join account not authenticating,  I think there's something else going on, but it would take a look through your system.  If my suggestion below doesn't resolve your issue, you will want to get Sophos Support involved.  Please come back and tell us what they found.

    I would both change the Server definition on the 'Servers' tab and unjoin/rejoin on the 'Single Sign-On' tab using the new user with Administrative Privileges in AD.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Benjamin Zeller

    Although it's not practical, it's possible to join to do AD-SSO and not configure an AD server.  Likewise, it's possible to configure an authentication server for AD without joining.  My conclusion is not that the failing sync was caused by the join account not authenticating,  I think there's something else going on, but it would take a look through your system.  If my suggestion below doesn't resolve your issue, you will want to get Sophos Support involved.  Please come back and tell us what they found.

    I would both change the Server definition on the 'Servers' tab and unjoin/rejoin on the 'Single Sign-On' tab using the new user with Administrative Privileges in AD.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML