Domain-map information is blank

Domain-map information is blank

14710
Created On 10/08/21 16:26 PM - Last Modified 08/18/22 02:42 AM


Symptom


Background:
  • Palo Alto Networks firewall uses the domain map to store the fully qualified active directory domain name (fqdn) and its equivalent netbios domain.
  • It is used to normalize or convert the username and group names from Distinguished name format to a short name format (netbios\username).

Issue:
  • In a multi domain environment, firewall is not able to pull domain-map information.

Environment


  • Palo Alto Firewall
  • Supported PAN-OS
  • User-ID with Group mapping configured

Cause


When firewall sends an LDAP query with the base DN pointing to sub-domain, the Domain controller might respond without netbios name. 
 

Graphical user interface, text, application Description automatically generated

Text Description automatically generated


 

Resolution


  1. Firewall sends a query to fetch netbios information from a specific path on the domain controller.
  2. The query path is influenced by the base DN configured under LDAP server profile but Active Directory stores netbios information only under Root domain.
  3. To fix this issue the a dummy LDAP server profile and a group mapping profile has to be has to be configured with Base DN pointing to the Root Domain.

GUI:Device > Server Profile > LDAP 

Graphical user interface, text, application Description automatically generated
 
  1. Now when using "debug user-id dump domain-map" the domain map information is displayed.
 
Text Description automatically generated


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMbiCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language