Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table Of Contents
Overview
This article describes the troubleshooting steps & possible solutions when you get notification alert mail with error code "[WARN-531] Directory services Synchronization " in Sophos UTM device.
Scenario
This issue would particularly occur when you are using Sophos UTM integrated with AD server via SSO mechanism.
Sophos UTM can join the domain with AD server but, it is constantly generating the notification emails with error code [WARN – 531] and SSO misbehaves regarding the group membership.
Please find the sample notification email alert as below:
What To Do
Step 1:
Please verify the pre-requisites are matching as per the following listed KBAs for UTM and AD server:
Sophos UTM: Join to an Active Directory SSO domain
Sophos UTM: Troubleshoot issues when joining the UTM to an Active Directory domain
Step 2:
Kindly, check the logs listed below:
tail -f /log/notifier.log
Sample logs
2021:04:20-00:40:02 fw-ger notifier[21002]: processing notification request for WARN-531
2021:04:20-02:40:02 fw-ger notifier[24990]: processing notification request for WARN-531
2021:04:20-04:40:02 fw-ger notifier[28999]: processing notification request for WARN-531
tail -f /log/aua.log
Sample logs
2021:04:20-04:40:02 fw-ger aua[3735]: id="3007" severity="debug" sys="System" sub="auth" name="handle_client: http,test_umlaut,366366366366,10.128.140.46"
2021:04:20-04:40:02 fw-ger aua[3735]: id="3007" severity="debug" sys="System" sub="auth" name="handle_client: f:http u:test_umlaut c:10.128.140.46 t:- h:"
2021:04:20-04:40:02 fw-ger aua[3735]: Malformed UTF-8 character (unexpected non-continuation byte 0xf6, immediately after start byte 0xf6) in split at aua.pl line 283, <DATA> line 275.</b>
tail -f /log/fallback.log
Sample logs
2021:04:20-04:40:02 fw-ger [daemon:notice] ad-sync.plx[19941]: [ad-sync] started
2021:04:20-04:40:02 fw-ger [daemon:err] ad-sync.plx[19941]: [ad-sync] error returned from samba command on xyz.DE
2021:04:20-04:40:02 fw-ger [daemon:err] ad-sync.plx[19941]: [ad-sync] error returned from samba command on xyz.DE
2021:04:20-04:40:02 fw-ger [daemon:err] ad-sync.plx[19941]: [ad-sync] failed to run samba command on xyz.DE, exiting now
Step 3:
The reason Sophos UTM throws these alerts as by default Sophos UTM does not support “umlauts” special characters. Thus, to allow these special characters, we would need to enable certain UTF-8 related configurations using below commands:
<M> fw-ger :/root # cc
Confd command-line client. Maintainer: <xyz@sophos.com>
Connected to 127.0.0.1:4472, SID = qZiBSqoTyIGQVRDCfszF.
Available modes: MAIN OBJS RAW WIZARD.
Type mode name to switch mode.
Typing 'help' will always give some help.
127.0.0.1 MAIN > auth
ad_sso
api_tokens%
auto_add_to_facility@
auto_add_users$
block
cache_lifetime$
delayed_ipset_expansion$
edir_sso
otp
servers@
update_backend_group_members
127.0.0.1 MAIN auth > ad_sso
force_utf8_sync$
joinresult$
loadbalancer_fqdn$
ntlmv2_auth$
secrets$
smbconf$
sso_domain$
sso_netbios_domain$
sso_netbios_host$
sso_password$
sso_server$
sso_status$
sso_sync$
sso_username$
127.0.0.1 MAIN auth/ad_sso > force_utf8_sync$
0
127.0.0.1 MAIN auth/ad_sso/force_utf8_sync (BOOL) >
Use enters to apply above changes.
Please go to below path and verify the value is “1”.
cc -> auth -> ad_sso -> force_utf8_sync$ -> 1
Edited Format
[edited by: Arkita Thakkar at 2:30 AM (GMT -7) on 18 Sep 2023]