OPNsense Forum

Hi all,

After upgrading from 25.4.1 to 25.4.2 AD login no longer works. When I log in as local user I see that the AD user does get authenticated successfully, but then logs out right away.

The output of System: Access: Tester is different as well:

25.4.1	25.4.2
User: evertm authenticated successfully. This user is a member of these groups: admins Attributes received from server: [more stuff]	User: evertm authenticated successfully. This user is a member of these groups: May access the following locations, depending on source address: Uri   Networks Attributes received from server: [more stuff]

How do I fix this? Any pointers?

Hi Evert,

I'm not aware of a bug, but there have been bug-related patches. Are you using a group sync? It may remove the admin group from your user which means you don't have any privileges to view any GUI page.


Cheers,
Franco

Quote from: franco on August 13, 2025, 09:38:15 AMI'm not aware of a bug, but there have been bug-related patches. Are you using a group sync? It may remove the admin group from your user which means you don't have any privileges to view any GUI page.

Hi Franco,
No, group sync is not enabled, as far as I can tell.

I did spot this in the Audit log just now. Don't know whether it's relevant:
2025-08-13T09:54:44    Notice    audit    User: policy change for evertm unlink group admins
Hmm, I do see on System: Access: Users that user evertm is no longer a member of group admins. When I add it back to the group admins, and try to log in as evertm, the group membership gets stripped again.

I'm still thinking "Synchronize groups" is enabled under System: Access: Servers: [Your AD server configuration] which removes groups because either memberOf is not returned by the AD or the group is not set in AD for the user.


Cheers,
Franco

Nope, no 'Synchronize groups'...

Ok, let's try to narrow down the issue by reverting the core package to the previous version:

# opnsense-revert -r 25.4.1 opnsense-business

If it's still not working it wasn't 25.4.2 but if it works again we can go through the commits.


Cheers,
Franco

Quote from: franco on August 13, 2025, 12:47:43 PMOk, let's try to narrow down the issue by reverting the core package to the previous version:

# opnsense-revert -r 25.4.1 opnsense-business

If it's still not working it wasn't 25.4.2 but if it works again we can go through the commits.

Applied:
Fetching opnsense-business.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20241217... done
opnsense-business-25.4.2: already unlocked
Installing opnsense-business-25.4.1...
package opnsense-business is already installed, forced install
Extracting opnsense-business-25.4.1: 100%
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
configd already running?  (pid=84996).
>>> Invoking update script 'refresh.sh'
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from opnsense-business-25.4.1:

--
What are you looking at?

After the revert I have done a reboot. Now I can log in again with the AD user evertm

(I had to add evertm to the admins group again, but now he remains in the group when I log in with the AD user)

What happens during authentication when you apply this patch on top of the good 25.4.1?

# opnsense-patch https://github.com/opnsense/core/commit/5d4317ee21be31


Cheers,
Franco

opnsense-patch https://github.com/opnsense/core/commit/5d4317ee21be31
Fetched 5d4317ee21be31 via https://github.com/opnsense/core
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From 5d4317ee21be317700ebef5eff9fdd395aa71863 Mon Sep 17 00:00:00 2001
|From: Ad Schellevis <ad@opnsense.org>
|Date: Mon, 9 Jun 2025 18:52:02 +0200
|Subject: [PATCH] Auth: regression in setGroupMembership() introduced with
| https://github.com/opnsense/core/pull/8046
|
|As members are comma separated now, we should split them before processing. To keep old and new formats (arrays/csv) compatible as we now do in the rest of the codebase, we normalize arrays with cvs strings into a single list of members.
|---
| src/opnsense/mvc/app/library/OPNsense/Auth/Base.php | 3 ++-
| 1 file changed, 2 insertions(+), 1 deletion(-)
|
|diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
|index a9e545a9a6f..fe3c52d4070 100644
|--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
|+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
--------------------------
Patching file opnsense/mvc/app/library/OPNsense/Auth/Base.php using Plan A...
Hunk #1 succeeded at 156.
done
All patches have been applied successfully.  Have a nice day.

Patch applied. Rebooted.

Yup, that's the one!  Now I can't log in with evertm anymore. If I add evertm back to Admins, and then try to log in again, he gets removed from Admins.

Ok, progress :)

You can update back to 25.4.2 now and apply the patch again on your end to avoid the bad behaviour for now and we'll have a closer look internally.


Cheers,
Franco

Quote from: franco on August 13, 2025, 02:49:42 PMOk, progress :)

You can update back to 25.4.2 now and apply the patch again on your end to avoid the bad behaviour for now and we'll have a closer look internally.

Thanks  :)

I created a snapshot before updating to 25.4.2, so I think I'll revert to 25.4.1 for now, to keep our OPNsense units on the same version.

Hi Evert,

Would you mind sharing the following output with us privately? Either forum PM or via mail franco@opnsense.org

# pluginctl -g system.group


Thanks,
Franco

Quote from: franco on August 13, 2025, 03:29:11 PMHi Evert,

Would you mind sharing the following output with us privately? Either forum PM or via mail franco@opnsense.org

# pluginctl -g system.group

Sure, no problem. Does it matter that I reverted to 25.4.1? I can update to 25.4.2 again temporarily, if that gives you the proper output.

Whatever version you're on is fine. This is output from the current config.xml.


Cheers,
Franco

Quote from: franco on August 14, 2025, 08:17:22 AMWhatever version you're on is fine. This is output from the current config.xml.

You got email  :)

Thanks, we tracked this down to an ambiguity in the setGroupMembership() function called by LDAP authentication and discussing options.

Without the commit the membership is simply missed, but the commit fixes that and then the sync kicks in even though you don't have group sync but because create user flag is set too that's being misinterpreted.


Cheers,
Fanco