User states within CSA 5.1.0.108

Unanswered Question
Mar 14th, 2008
User Badges:

I have been trying for the life of me to figure out why CSA will not allow a group, that I create in AD, to have write access to a wwwroot directory. I can make user accounts work, I can make the built-in accounts in AD (Domain Admins) work. However if I make a group called Domain Admins2, I get no lovin from the MC.


The rule is as follows:

Deny All apps, but not "www services", read/write/create dir.

The user state var is as follows : user <all>, <none>; groups <all>, "Domain Admins2"


I have also tried reversing the rule and doing a allow with the "Domain Admins2" in the first box of the user state.


Other then updating to 5.2 has anyone run into this issue?????

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Sun, 03/16/2008 - 06:22
User Badges:
  • Gold, 750 points or more

You should run the csa diagnostics from the csamc, this will tell you exactly what groups csa is seeing on your machine. Also remember that it is the cretedential used to execute a certain function that is used in user-states, not the logged-in user, so you might see some things not getting hit with a user-state if it is executed by ex. SYSTEM

pestilence.ath.cx Sun, 03/16/2008 - 08:40
User Badges:

I don't see any options for a diagnostics on the MC. Is it called something else?


In the Event Log on the deny that is logged, I can click on details and see that it is being seen as Domain Admins2.


Also I have read that CSA should allow you on if you are a part of any group, not just one that has to be set primary in Active Directory. I can see this being a Windows AD issue though.

tsteger1 Mon, 03/17/2008 - 13:40
User Badges:
  • Red, 2250 points or more

It's on the host detail page under Host Status > Detailed status and diagnostics.


That takes you to another screen where you can run the diags.


Tom

jan.nielsen Mon, 03/17/2008 - 15:46
User Badges:
  • Gold, 750 points or more

Could it be that you have created the Deny rule as a Priority Deny, which overrides Priority Allow Rules ? Maybe post the actual event here on the forum ?

pestilence.ath.cx Tue, 03/18/2008 - 06:50
User Badges:

The rule will be a priority deny, that allows the specified group.


I did get this to work, thanks to the host diagnostic link gave me the info I needed, granted I still can't get the name to work, however the SID for the group works just fine, and meets the needs of the web admin.

Actions

This Discussion