Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
patrick2
Explorer

SMB integrate AD issue

Hi there,

I am currently encountering an AD issue at a client’s site. I would like to know if anyone else has experienced the following:

  1. I integrated SMB with AD and added a user account in AD with domain admin and schema admin permissions.
  2. I created a new group in AD.
  3. I added a remote access user in SMB, but the newly created group in AD cannot be found. Interestingly, existing groups can be found.

It seems like an AD issue. Are there any additional settings required in AD?

0 Kudos
7 Replies
AkosBakos
Advisor
Advisor

Hi @patrick2 

To get closer to the issue:

  • Do you use Identity Collecor, or how do you connect the SMB to the AD?

If you want to browse the whole tree in the Access Role object, you can find all ot the groups, except the newly created one?

Here:

2024-08-15 09_40_13-Cloud Demo Server [ID_531263718]-R81.20-SmartConsole.png

 

Ad Query is not a supported way as earlier was. Check Point recommends to use Identity Collector as the Identity Source instead of AD Query

There is an sk: https://support.checkpoint.com/results/sk/sk106133 maybe it can help to start the investigation way.

 

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
patrick2
Explorer

Hi Akos

1.I use Active Directory Queries in SMB to integrate AD and do not use the Identity Collector function.

2.Yes, I can find all the groups except for the newly created ones.

0 Kudos
PhoneBoy
Admin
Admin

What firmware version?
Sounds like a caching issue. 
This may require a TAC case.

0 Kudos
patrick2
Explorer

Hi PhoneBoy

R81.10.10 (996002993)

0 Kudos
Dafna
Employee
Employee

Hi,

Do you use centrally or locally managed SMB?

Please note that, by default, AD groups are automatically synced every 24 hours.

Thanks,   

   Dafna

 

0 Kudos
PhoneBoy
Admin
Admin

Is there a way to force the sync with AD to occur?
Because it seems like that's the issue here...that a new group was created and it is not available on the appliance.

0 Kudos
AkosBakos
Advisor
Advisor

Hi @PhoneBoy 

The #pdp update all command maybe helps

Command: root->update

Available options:
all - recalculate all users and machines group membership
specific - recalculate group membership for a user/machine
refetch_interval - LDAP user info refetch interval
update_rate - the max number of sessions updated within a minute

Akos

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events