Opened 3 years ago

Closed 3 years ago

#1383 closed Bug / Defect (worksforme)

OpenVPN 2.5 Not recognizing nested groups

Reported by: wade.griffith Owned by:
Priority: critical Milestone: release 2.5.3
Component: Generic / unclassified Version: OpenVPN 2.5.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: Nested groups
Cc:

Description

I believe I have found a bug in the OpenVPN 2.5 software. We are replacing our Azure Point-to-Site connection software with the OpenVPN 2.5 connection software.

We are pushing out the security Identifier of the Azure AD Dynamic group we wanted added to the OpenVPN Administrators group via a Configuration Profile on Microsoft Intune, but OpenVPN is not recognizing the nested group in the OpenVPN Administrators and prompting users to be added to the group individually when they want to connect to OpenVPN.

Any idea why OpenVPN is not recognizing our nested group?

Attachments (5)

OpenVPN message.JPG (24.8 KB) - added by wade.griffith 3 years ago.
The message that users get when they try and connect and are already part of the Azure AD Dynamic group.
OpenVPN files.JPG (50.0 KB) - added by wade.griffith 3 years ago.
Files I need to add to OpenVPN
OpenVPN Powershell.JPG (97.1 KB) - added by wade.griffith 3 years ago.
Group command
OpenVPN Group permissions.JPG (46.9 KB) - added by wade.griffith 3 years ago.
OpenVPN properties tab
OpenVPN groups.JPG (99.4 KB) - added by wade.griffith 3 years ago.
Group commands

Download all attachments as: .zip

Change History (12)

Changed 3 years ago by wade.griffith

Attachment: OpenVPN message.JPG added

The message that users get when they try and connect and are already part of the Azure AD Dynamic group.

comment:1 Changed 3 years ago by Selva Nair

Nested groups in on premise AD has been tested in the past and does work: like user is in a Domain local group named "Developers" which in turn is a member of the local "OpenVPN Administrators" group. This could be managed using GPO. I haven't personally tested this with Azure, but see #810 https://community.openvpn.net/openvpn/ticket/810#comment25 (comment 25 onwards) for a related discussion where others have reported success with Azure AD.

Does whoami /groups /fo list show the "machine-name\OpenVPN Administrtaors" in the list of groups? Note that the user may have to re-login to the domain after any change in group membership for the process token to reflect it.

Last edited 3 years ago by Selva Nair (previous) (diff)

Changed 3 years ago by wade.griffith

Attachment: OpenVPN files.JPG added

Files I need to add to OpenVPN

Changed 3 years ago by wade.griffith

Attachment: OpenVPN Powershell.JPG added

Group command

comment:2 Changed 3 years ago by wade.griffith

I don't see the machine-name\OpenVPN Administrators group when I run that command. I even logged off the domain user account and logged back in. I did however checkout that link you provided. Do I just need to insert the interactive.c,validate.c, and validate.h into my OpenVPN?

comment:3 in reply to:  2 Changed 3 years ago by Selva Nair

Replying to wade.griffith:

I don't see the machine-name\OpenVPN Administrators group when I run that command. I even logged off the domain user account and logged back in.

Does net localgroup "OpenVPN Administrators" list the relevant Azure group as a member?

I can only say you have to somehow ensure the group membership is recognized on the machine. Generally whoami /groups should show it.

That is, if have "OpenVPN Administrators" group on the local machine, and the relevant AD group containing the user has been added to it, "whoami /groups" will list "OpenVPN Administrators" as one of the groups the user belongs to. If it does not, the GUI also may not be able to recognise that the user is in that group. Maybe something is wrong with the Azure setup?

That said, I do not know how Azure dynamic groups work. We only look for the group SID in the process token.

I did however checkout that link you provided. Do I just need to insert the interactive.c,validate.c, and validate.h into my OpenVPN?

No need to build/change openvpn, just use the latest 2.5.0 release. The patch mentioned in #810 has been merged to master a long time ago. I linked to that discussion only to indicate that nested groups with Azure AD had been tested by some users.

Version 1, edited 3 years ago by Selva Nair (previous) (next) (diff)

comment:4 Changed 3 years ago by wade.griffith

I am using the latest version of OpenVPN 2.5. When I run the command net localgroup "OpenVPN Administrators" it only recognizes the User that we had to manually setup and not the Group SID at all and the whoami /groups command doesn't recognize the OpenVPN Administrators group at all. I believe this where the bug is at because Windows isn't detecting the "OpenVPN Administrators" group, with the whoami /group command. We do have the OpenVPN Administrators group on the local machine as well.

We also have nested dynamic groups in the Administrators group in Windows and those are working appropriately with permissions and show up with the whoami /group commands. So we believe the bug is with OpenVPN.

Last edited 3 years ago by wade.griffith (previous) (diff)

Changed 3 years ago by wade.griffith

OpenVPN properties tab

Changed 3 years ago by wade.griffith

Attachment: OpenVPN groups.JPG added

Group commands

comment:5 Changed 3 years ago by Gert Döring

Milestone: release 2.5release 2.5.3

comment:6 Changed 3 years ago by Selva Nair

Based on previous reports (e.g., Trac #810) azure AD nested groups should work. Here the user reports that net localgroup "OpenVPN Administrators" does not show the nested group membership. whoami /groups also doesn't show it.

If Windows native tools do not recognize the group membership, we can't do anything in OpenVPN to fix it. Sounds like a user/admin error in setting up the group membership.

comment:7 Changed 3 years ago by Gert Döring

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.