search

MutonUfoAI / pgina

pGina fork: Open Source Windows Authentication
http://mutonufoai.github.io/pgina
BSD 3-Clause "New" or "Revised" License
156 stars 39 forks source link

Cannot login when user is added to a group #138

Closed MysteryWoMan closed 5 years ago

MysteryWoMan commented 5 years ago

Setup

pGina 3.9.9.12 Windows 10 (Pro / 64-bit / build 17134) Enabled plugins:
Local Machine (Authentication & Gateway) RADIUS Plugin (Authentication & Notification)

Situation

When a user is authenticated for the first time, pGina creates a local user that is not part of any group (not even the Users group). In my case the users are authenticated by a RADIUS server through the RADIUS plugin, but I doubt that this feature is unique to this plugin.

Problem

When I make a user member of a group ("Administrators" for example), it can no longer login. pGina displays the following output at logon-screen:

Unable to sync users local group membership: System.DirectoryServices.AccountManagement.PrincipalOperationException: An error occured (1332) while making an inventory of the groupmembership. The SID of the member is not derived.
 at System.DirectoryServices.AccountManagement.SAMMembersSet.isLocalMember(Byte[] sid)
 at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNextLocal()
 at System.DirectoryServices.AccountManagement.SAMMembersSet.MoveNext()
 at System.DirectoryServices.AccountManagement.PrincipalCollectionEnumerator.MoveNext()
 at System.DirectoryServices.AccountManagement.PrincipalCollection.ContainsEnumTest(Principal principal)
 at System.DirectoryServices.AccountManagement.PrincipalCollection.Remove(Principal principal)
 at pGina.Plugin.LocalMachine.LocalAccount.SyncToLocalUser()

(I translated some parts because it is displayed in my local language)

Wished solution

A descriptive way on how I can add a user to a group (without disabling it to login.) OR (even better) A descriptive way on how I can configure pGina or its RADIUS plugin to give each user Administrator privileges.

Log and configuration

pGina.Service.ServiceHost_log.txt pGina.Configuration_log.txt

Generally standard configuration. Plugin order: 1 RADIUS Plugin 2 Local Machine

Thanks already!

MutonUfoAI commented 5 years ago

Did you read http://mutonufoai.github.io/pgina/documentation/plugins/local_machine.html? Have you used the sid S-1-5-32-544 for the administrators group?

MysteryWoMan commented 5 years ago

2x Yes. But I removed the S-1-5-32-544 group (Administrators) from 'mandatory groups' because of the error.

I added it again now , after manually making all (pGina) users member of Administrators , and it works! So the problem is solved. But a new user (first login) will encounter the problem again.

I now discovered that everything works on first login when the 'Users' group (S-1-5-32-545) is used as Mandatory Groups instead of the Administrators group. Could it be that pGina has insufficient permissions to add members to the Administrators group, but enough to add them to the Users group?

'Always Authenticate Users' seems a temporary fix to let both new users and existing Admin-users login.

MutonUfoAI commented 5 years ago

Could it be that pGina has insufficient permissions

No, running as system

The def. group, is the local user group and any user should be part of this group

your error

2019-02-19 23:20:05,951 [4344|28|ERROR] LocalAccount[chantal]: PrincipalOperationException when checking group membership for user chantal in group Administrators. This usually means that you have an unresolvable SID as a group member. I strongly recommend that you fix this problem as soon as possible by removing the SID from the group. Ignoring the exception and continuing.

is triggered here https://github.com/MutonUfoAI/pgina/blob/master/Plugins/LocalMachine/LocalAccount.cs#L282

Er is een fout (1332) opgetreden bij het inventariseren van het groepslidmaatschap. De SID van het lid is niet herleid.

ERROR_NONE_MAPPED 1332 (0x534) No mapping between account names and security IDs was done

Are you sure you've used the correct sid

MysteryWoMan commented 5 years ago

That was it!

This usually means that you have an unresolvable SID as a group member.

--> There was indeed an old SID in the Administrators group (of a user that doesn't exist anymore). By removing it, everything works. The error messages literally said it! Should've paid more attention to it.

Thank you very much for the support!! You should add a donation link to your website.

martimarkov commented 5 years ago

I second this. Definitely add a donate option. :) — MM.

On 21 Feb 2019, at 15:00, MysteryWoMan notifications@github.com wrote:

That was it!

This usually means that you have an unresolvable SID as a group member.

--> There was indeed an old SID in the Administrators group (of a user that doesn't exist anymore). By removing it, everything works. The error messages literally said it! Should've paid more attention to it.

Thank you very much for the support!! You should add a donation link to your website.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MutonUfoAI/pgina/issues/138#issuecomment-466031633, or mute the thread https://github.com/notifications/unsubscribe-auth/ABxcsIAdqXUsubVNUh44JBJ63ZmjIISJks5vPrSKgaJpZM4bEHE3.