Local AD Security User Groups don't work

Think you've found a bug? Post a description here.

Moderator: Serin

Post Reply
olsaf
Posts: 2
Joined: Wed Jan 06, 2016 5:46 pm

Local AD Security User Groups don't work

Post by olsaf » Wed Jan 06, 2016 6:53 pm

Windows Server 2008 R2 (version 6.1 build 7601, sp1)
Cerberus Version 8.0.0.4

In "AD Users", Domain was specified as "." to designate usage of Local users and groups. It then was verified positively:
- Local Database Verified.
- Local user accounts accessible.

ISSUE #1
Constraint ‘Require Security Group Membership’ was enabled to allow any local AD users from user group ‘TestFtpUsers’ only.

From the Log tab, the security group check failed to see that the user ‘ftpusr’ was a member of the security group.
"2016/01/06 18:01:35 [48] Could not authenticate AD user 'ftpusr' on domain '.' : AD user 'ftpusr' is not a direct member of required security group 'TestFtpUsers'".

When the constraint ‘Require Security Group Membership’ is off, then the user can login without issues.


ISSUE #2.
Security group mapping could not be done because none of the local user groups appeared in the list. (Instead a 'none' entry was in the Groups list).

ISSUES #3-#N
It seems there is a larger issue of how AD (or Local) user Groups are retrieved which may hit every place in the application where AD Security User Groups are used.

Here is link to see the screenshots: https://drive.google.com/file/d/0B8nWYd ... sp=sharing

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: Local AD Security User Groups don't work

Post by Serin » Thu Jan 07, 2016 12:04 pm

The Require Security Group Membership only works for Global Security groups. We don't check against local groups, or enumerate local groups for creating mappings.

You can try enabling the "Try Alternate AD Group Check Method" on the Advanced page of the Server Manager if not all groups are seen, but we honestly don't test against local SAM account access on a regular basis.

Our AD authentication capability is designed to be used against an AD domain, not the local SAM account database on the machine. We've tried to make it so you can use it against the SAM, but it doesn't get a lot of attention and testing since it's a very rarely used capability.

olsaf
Posts: 2
Joined: Wed Jan 06, 2016 5:46 pm

Re: Local AD Security User Groups don't work

Post by olsaf » Thu Jan 07, 2016 3:40 pm

Thank you for clarifying that local user groups are not supported.

The UI of the "AD Users" allowed to make an assumption that local domain users and groups are fully supported when "." was specified for the domain and by reporting that
- "Local Database Verified"
- "Local user accounts accessible"

and by allowing to interact with the "Require Security Group Membership" user control to specify name of a restricted user group. On top of that the Log tab clearly said that "AD user 'ftpusr' is not a direct member of required security group 'TestFtpUsers'" instead of saying that local user groups are not supported.

Also, the documentation that popped out on "Help" link did not mention any restrictions for utilizing local groups when "." specified for the domain (as of Jan 6, 2016). http://www.cerberusftp.com/support/help ... arios.html

After researching this forum a bit more I found that some of the users previously stumbled upon the same issue of wanting to use local user groups but not been able to.

This issue "Support for local user groups when "." is specified for domain" could be on the feature request list.

In the meanwhile, UI could be fixed to prevent any confusions: https://drive.google.com/open?id=0B8nWY ... 1FpLU9xNFU

P.S.
Some time later while examining the same AD Users dialog I accidentally called out the yellow pop-up hint saying "NOTE: The group cannot be a local group". But, hey this is not how UI works! haha :D

P.S.2
Enabling option "Alternate AD Group Check Method" did not help and authentication failed with the same error:
Could not authenticate AD user 'ftpusr' on domain '.' : AD user 'ftpusr' is not a direct member of required security group 'TestFtpUsers'

Post Reply