Palo Alto Networks Knowledgebase: Incorrect Domain mapped when Kerberos Authentication is used for LDAP users causing users to not be Authenticated

Incorrect Domain mapped when Kerberos Authentication is used for LDAP users causing users to not be Authenticated

1519
Created On 02/08/19 00:04 AM - Last Updated 02/08/19 00:04 AM
Resolution

Issue

Users do not get authenticated using Kerberos authentication in conjunction with LDAP server profile.

Authd.logs indicating the users coming from incorrect domain (accad). The actual domain is accad.local

mp\authd.log 07-03 15:50:18  pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: btest

mp\authd.log 07-03 15:50:18  pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','AuthProfile-LDAP','btest'>

mp\authd.log 07-03 15:50:18  panauth:user <accad\\btest,AuthProfile-LDAP,vsys1> is not allowed

mp\authd.log 07-03 15:50:18  pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: accad\\btest authresult not auth'ed

mp\authd.log 07-03 15:50:18  pan_authd_process_authresult(pan_authd.c:1271): Alarm generation set to: False.

mp\authd.log 07-03 15:50:18  User 'accad\\btest' failed authentication. Reason: User is not in allowlist From: 173.182.189.230.

Resolution

Domain should be the same as the realm in Kerberos Server Profile.

LDAP server profile used for user-group mappings requires Kerberos to use a fully qualified DOMAIN. If LDAP was not used, domain = aacad would have sufficed.

Note: Make sure that an appropriate group is included in the ALLOW LIST of Kerberos Authentication Profile.

The authd logs after making the change:

mp\authd.log 07-03 16:18:23 pan_authd_service_req(pan_authd.c:2563): Authd:Trying to remote authenticate user: btest

mp\authd.log 07-03 16:18:23 pan_authd_service_auth_req(pan_authd.c:1104): AUTH Request <'vsys1','kerberos','btest'>

mp\authd.log 07-03 16:18:23 pan_authd_common_authenticate(pan_authd.c:1543): Authenticating user using service /etc/pam.d/pan_krb5_vsys1_kerberos,username accad.local\\btest

mp\authd.log 07-03 16:18:40 pan_authd_authenticate_service(pan_authd.c:652): authentication succeeded (0)

mp\authd.log 07-03 16:18:40 pan_authd_authenticate_service(pan_authd.c:658): account is valid

mp\authd.log 07-03 16:18:40 authentication succeeded for user <vsys1,kerberos,accad.local\\btest>

mp\authd.log 07-03 16:18:40 pan_authd_process_authresult(pan_authd.c:1247): pan_authd_process_authresult: accad.local\\btest authresult auth'ed

owner: kadak



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgTCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language