Opened 4 years ago
Closed 4 years ago
#1383 closed Bug / Defect (worksforme)
OpenVPN 2.5 Not recognizing nested groups
Reported by: | wade.griffith | Owned by: | |
---|---|---|---|
Priority: | critical | Milestone: | release 2.5.3 |
Component: | Generic / unclassified | Version: | OpenVPN 2.5.0 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | Nested groups |
Cc: |
Description
I believe I have found a bug in the OpenVPN 2.5 software. We are replacing our Azure Point-to-Site connection software with the OpenVPN 2.5 connection software.
We are pushing out the security Identifier of the Azure AD Dynamic group we wanted added to the OpenVPN Administrators group via a Configuration Profile on Microsoft Intune, but OpenVPN is not recognizing the nested group in the OpenVPN Administrators and prompting users to be added to the group individually when they want to connect to OpenVPN.
Any idea why OpenVPN is not recognizing our nested group?
Attachments (5)
Change History (12)
Changed 4 years ago by
Attachment: | OpenVPN message.JPG added |
---|
comment:1 Changed 4 years ago by
Nested groups in on premise AD has been tested in the past and does work: like user is in a Domain local group named "Developers" which in turn is a member of the local "OpenVPN Administrators" group. This could be managed using GPO. I haven't personally tested this with Azure, but see #810 https://community.openvpn.net/openvpn/ticket/810#comment25 (comment 25 onwards) for a related discussion where others have reported success with Azure AD.
Does whoami /groups /fo list
show the "machine-name\OpenVPN Administrtaors" in the list of groups? Note that the user may have to re-login to the domain after any change in group membership for the process token to reflect it.
comment:2 follow-up: 3 Changed 4 years ago by
I don't see the machine-name\OpenVPN Administrators group when I run that command. I even logged off the domain user account and logged back in. I did however checkout that link you provided. Do I just need to insert the interactive.c,validate.c, and validate.h into my OpenVPN?
comment:3 Changed 4 years ago by
Replying to wade.griffith:
I don't see the machine-name\OpenVPN Administrators group when I run that command. I even logged off the domain user account and logged back in.
Does net localgroup "OpenVPN Administrators"
list the relevant Azure group as a member?
I can only say you have to somehow ensure the group membership is recognized on the machine. Generally whoami /groups should show it.
That is, if you have "OpenVPN Administrators" group on the local machine, and the relevant AD group containing the user has been added to it, "whoami /groups" will list "OpenVPN Administrators" as one of the groups the user belongs to. If it does not, the GUI also may not be able to recognise that the user is in that group. Maybe something is wrong with the Azure setup?
That said, I do not know how Azure dynamic groups work. We only look for the group SID in the process token.
I did however checkout that link you provided. Do I just need to insert the interactive.c,validate.c, and validate.h into my OpenVPN?
No need to build/change openvpn, just use the latest 2.5.0 release. The patch mentioned in #810 has been merged to master a long time ago. I linked to that discussion only to indicate that nested groups with Azure AD had been tested by some users.
comment:4 Changed 4 years ago by
I am using the latest version of OpenVPN 2.5. When I run the command net localgroup "OpenVPN Administrators" it only recognizes the User that we had to manually setup and not the Group SID at all and the whoami /groups command doesn't recognize the OpenVPN Administrators group at all. I believe this where the bug is at because Windows isn't detecting the "OpenVPN Administrators" group, with the whoami /group command. We do have the OpenVPN Administrators group on the local machine as well.
We also have nested dynamic groups in the Administrators group in Windows and those are working appropriately with permissions and show up with the whoami /group commands. So we believe the bug is with OpenVPN.
comment:5 Changed 4 years ago by
Milestone: | release 2.5 → release 2.5.3 |
---|
comment:6 Changed 4 years ago by
Based on previous reports (e.g., Trac #810) azure AD nested groups should work. Here the user reports that net localgroup "OpenVPN Administrators"
does not show the nested group membership. whoami /groups
also doesn't show it.
If Windows native tools do not recognize the group membership, we can't do anything in OpenVPN to fix it. Sounds like a user/admin error in setting up the group membership.
comment:7 Changed 4 years ago by
Resolution: | → worksforme |
---|---|
Status: | new → closed |
The message that users get when they try and connect and are already part of the Azure AD Dynamic group.