This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
patrick2
Explorer
‎2024-08-14 08:20 PM

SMB integrate AD issue

Hi there,

I am currently encountering an AD issue at a client’s site. I would like to know if anyone else has experienced the following:

  1. I integrated SMB with AD and added a user account in AD with domain admin and schema admin permissions.
  2. I created a new group in AD.
  3. I added a remote access user in SMB, but the newly created group in AD cannot be found. Interestingly, existing groups can be found.

It seems like an AD issue. Are there any additional settings required in AD?

0 Kudos
7 Replies
AkosBakos
Leader Leader
Leader
‎2024-08-15 12:50 AM

Hi @patrick2 

To get closer to the issue:

  • Do you use Identity Collecor, or how do you connect the SMB to the AD?

If you want to browse the whole tree in the Access Role object, you can find all ot the groups, except the newly created one?

Here:

2024-08-15 09_40_13-Cloud Demo Server [ID_531263718]-R81.20-SmartConsole.png

 

Ad Query is not a supported way as earlier was. Check Point recommends to use Identity Collector as the Identity Source instead of AD Query

There is an sk: https://support.checkpoint.com/results/sk/sk106133 maybe it can help to start the investigation way.

 

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
patrick2
Explorer
‎2024-08-15 10:14 PM
In response to AkosBakos

Hi Akos

1.I use Active Directory Queries in SMB to integrate AD and do not use the Identity Collector function.

2.Yes, I can find all the groups except for the newly created ones.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-15 10:27 AM

What firmware version?
Sounds like a caching issue. 
This may require a TAC case.

0 Kudos
patrick2
Explorer
‎2024-08-15 10:14 PM
In response to PhoneBoy

Hi PhoneBoy

R81.10.10 (996002993)

0 Kudos
Dafna
Employee
Employee
‎2024-08-15 10:13 PM

Hi,

Do you use centrally or locally managed SMB?

Please note that, by default, AD groups are automatically synced every 24 hours.

Thanks,   

   Dafna

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-16 11:07 AM
In response to Dafna

Is there a way to force the sync with AD to occur?
Because it seems like that's the issue here...that a new group was created and it is not available on the appliance.

0 Kudos
AkosBakos
Leader Leader
Leader
‎2024-08-17 02:30 AM
In response to PhoneBoy

Hi @PhoneBoy 

The #pdp update all command maybe helps

Command: root->update

Available options:
all - recalculate all users and machines group membership
specific - recalculate group membership for a user/machine
refetch_interval - LDAP user info refetch interval
update_rate - the max number of sessions updated within a minute

Akos

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top