25.4.1 -> 25.4.2 : AD login no longer works

Started by Evert, August 13, 2025, 09:09:48 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 13, 2025, 09:09:48 AM
Hi all,

After upgrading from 25.4.1 to 25.4.2 AD login no longer works. When I log in as local user I see that the AD user does get authenticated successfully, but then logs out right away.

The output of System: Access: Tester is different as well:

25.4.125.4.2
User: evertm authenticated successfully.
This user is a member of these groups:
admins

Attributes received from server:
[more stuff]		User: evertm authenticated successfully.

This user is a member of these groups:


May access the following locations, depending on source address:
Uri   Networks


Attributes received from server:
[more stuff]

How do I fix this? Any pointers?
--
Regards,
   Evert
August 13, 2025, 09:38:15 AM #1
Hi Evert,

I'm not aware of a bug, but there have been bug-related patches. Are you using a group sync? It may remove the admin group from your user which means you don't have any privileges to view any GUI page.


Cheers,
Franco
August 13, 2025, 10:00:28 AM #2 Last Edit: August 13, 2025, 10:11:47 AM by Evert
Quote from: franco on August 13, 2025, 09:38:15 AMI'm not aware of a bug, but there have been bug-related patches. Are you using a group sync? It may remove the admin group from your user which means you don't have any privileges to view any GUI page.


Hi Franco,
No, group sync is not enabled, as far as I can tell.

I did spot this in the Audit log just now. Don't know whether it's relevant:
Code Select
2025-08-13T09:54:44    Notice    audit    User: policy change for evertm unlink group admins
Hmm, I do see on System: Access: Users that user evertm is no longer a member of group admins. When I add it back to the group admins, and try to log in as evertm, the group membership gets stripped again.
--
Regards,
   Evert
August 13, 2025, 10:36:14 AM #3
I'm still thinking "Synchronize groups" is enabled under System: Access: Servers: [Your AD server configuration] which removes groups because either memberOf is not returned by the AD or the group is not set in AD for the user.


Cheers,
Franco
August 13, 2025, 11:33:18 AM #4
Nope, no 'Synchronize groups'...

--
Regards,
   Evert
August 13, 2025, 12:47:43 PM #5
Ok, let's try to narrow down the issue by reverting the core package to the previous version:

# opnsense-revert -r 25.4.1 opnsense-business

If it's still not working it wasn't 25.4.2 but if it works again we can go through the commits.


Cheers,
Franco
August 13, 2025, 01:38:21 PM #6
Quote from: franco on August 13, 2025, 12:47:43 PMOk, let's try to narrow down the issue by reverting the core package to the previous version:

# opnsense-revert -r 25.4.1 opnsense-business

If it's still not working it wasn't 25.4.2 but if it works again we can go through the commits.


Applied:
Code Select
Fetching opnsense-business.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20241217... done
opnsense-business-25.4.2: already unlocked
Installing opnsense-business-25.4.1...
package opnsense-business is already installed, forced install
Extracting opnsense-business-25.4.1: 100%
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
configd already running?  (pid=84996).
>>> Invoking update script 'refresh.sh'
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from opnsense-business-25.4.1:

--
What are you looking at?

After the revert I have done a reboot. Now I can log in again with the AD user evertm

(I had to add evertm to the admins group again, but now he remains in the group when I log in with the AD user)
--
Regards,
   Evert
August 13, 2025, 02:38:03 PM #7
What happens during authentication when you apply this patch on top of the good 25.4.1?

# opnsense-patch https://github.com/opnsense/core/commit/5d4317ee21be31


Cheers,
Franco
August 13, 2025, 02:46:39 PM #8
Code Select
opnsense-patch https://github.com/opnsense/core/commit/5d4317ee21be31
Fetched 5d4317ee21be31 via https://github.com/opnsense/core
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|From 5d4317ee21be317700ebef5eff9fdd395aa71863 Mon Sep 17 00:00:00 2001
|From: Ad Schellevis <ad@opnsense.org>
|Date: Mon, 9 Jun 2025 18:52:02 +0200
|Subject: [PATCH] Auth: regression in setGroupMembership() introduced with
| https://github.com/opnsense/core/pull/8046
|
|As members are comma separated now, we should split them before processing. To keep old and new formats (arrays/csv) compatible as we now do in the rest of the codebase, we normalize arrays with cvs strings into a single list of members.
|---
| src/opnsense/mvc/app/library/OPNsense/Auth/Base.php | 3 ++-
| 1 file changed, 2 insertions(+), 1 deletion(-)
|
|diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
|index a9e545a9a6f..fe3c52d4070 100644
|--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
|+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
--------------------------
Patching file opnsense/mvc/app/library/OPNsense/Auth/Base.php using Plan A...
Hunk #1 succeeded at 156.
done
All patches have been applied successfully.  Have a nice day.

Patch applied. Rebooted.

Yup, that's the one!  Now I can't log in with evertm anymore. If I add evertm back to Admins, and then try to log in again, he gets removed from Admins.
--
Regards,
   Evert
August 13, 2025, 02:49:42 PM #9
Ok, progress :)

You can update back to 25.4.2 now and apply the patch again on your end to avoid the bad behaviour for now and we'll have a closer look internally.


Cheers,
Franco
August 13, 2025, 02:58:30 PM #10
Quote from: franco on August 13, 2025, 02:49:42 PMOk, progress :)

You can update back to 25.4.2 now and apply the patch again on your end to avoid the bad behaviour for now and we'll have a closer look internally.


Thanks  :)

I created a snapshot before updating to 25.4.2, so I think I'll revert to 25.4.1 for now, to keep our OPNsense units on the same version.
--
Regards,
   Evert
August 13, 2025, 03:29:11 PM #11
Hi Evert,

Would you mind sharing the following output with us privately? Either forum PM or via mail franco@opnsense.org

# pluginctl -g system.group


Thanks,
Franco
Today at 08:05:08 AM #12
Quote from: franco on August 13, 2025, 03:29:11 PMHi Evert,

Would you mind sharing the following output with us privately? Either forum PM or via mail franco@opnsense.org

# pluginctl -g system.group



Sure, no problem. Does it matter that I reverted to 25.4.1? I can update to 25.4.2 again temporarily, if that gives you the proper output.
--
Regards,
   Evert
Print
Go Up Pages1
User actions