Hi Nicolas, I think I figured it out. I changed the filter from "member of" to "nested group" and now it's working.
Thank you very much for your help, Helen -----Original Message----- From: Helen Power via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Tuesday, July 23, 2019 1:35 PM To: packetfence-users@lists.sourceforge.net Cc: Helen Power <helen_po...@resourcepro.com> Subject: Re: [PacketFence-users] Help! email is not allowed to sponsor guest access Hi Nicolas, I did /usr/local/pf/bin/pftest authentication helen_power 'password' Admin_Sponsor and get a reply like this: # Testing authentication for "Helen_Power" Authenticating against 'Admin_Sponsor' in context 'admin' Authentication SUCCEEDED against Admin_Sponsor (Authentication successful.) Did not match against Admin_Sponsor for 'authentication' rules Did not match against Admin_Sponsor for 'administration' rules Authenticating against 'Admin_Sponsor' in context 'portal' Authentication SUCCEEDED against Admin_Sponsor (Authentication successful.) Did not match against Admin_Sponsor for 'authentication' rules Did not match against Admin_Sponsor for 'administration' rules # Related info in Authentication.conf: [Admin_Sponsor] cache_match=0 read_timeout=10 realms= basedn=DC=x,DC=x,DC=com monitor=1 password=password shuffle=0 searchattributes= scope=sub email_attribute=mail usernameattribute=sAMAccountName connection_timeout=5 binddn=CN=wirelessauth,OU=System Function Account,OU=Special Account,DC=X,DC=X,DC=com encryption=none description=Group for sponsorship for guests port=389 host=172.16.100.X write_timeout=5 type=AD [Admin_Sponsor rule Sponsorship] action0=mark_as_sponsor=1 condition0=memberOf,equals,CN=WirelessSponsorGlobal,OU=Special Security Group,OU=Special Account,DC=X,DC=X,DC=com match=all class=administration description=Global Tech, US_Cooperate and SDU manager I'm totally sure that my sponsor user belongs to the group (WirelessSponosrGlobal) defined in the condition above. Like I mentioned in the previous email, do you think my PF box not be able to re-join the Active directory domain has anything to do with this issue? Or what do you suggest me to do next? # [root@packetfence PFdomain]# chroot /chroots/PFdomain wbinfo -u could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! Error looking up domain users [root@packetfence PFdomain]# wbinfo -t could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE could not obtain winbind domain name! checking the trust secret for domain (null) via RPC calls failed failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE Could not check secret [root@pfence bin]# net ads info ads_connect: No logon servers are currently available to service the logon request. ads_connect: No logon servers are currently available to service the logon request. Didn't find the ldap server! # Domain.conf: [Test] ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2)))) registration=0 ntlm_cache_expiry=3600 dns_name=x.x.com dns_servers=172.16.100.X ou=Computers ntlm_cache_on_connection=disabled workgroup=abc0 ntlm_cache_batch_one_at_a_time=disabled sticky_dc=* ad_server=172.16.100.X ntlm_cache_batch=disabled server_name=%h Thank you very much for your help. -----Original Message----- From: Nicolas Quiniou-Briand via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Tuesday, July 23, 2019 6:57 AM To: packetfence-users@lists.sourceforge.net Cc: Nicolas Quiniou-Briand <n...@inverse.ca> Subject: Re: [PacketFence-users] Help! email is not allowed to sponsor guest access Hello, On 2019-07-22 9:53 p.m., Helen Power via PacketFence-users wrote: > We want to achieve guest self-registration feature via sponsor email. > I defined one authentication source type to AD with action "Mark as > sponsor" . However, when I use guest signup and put the sponsor email > in then it says "Email XX is not allowed to sponsor guest access", > which I'm sure the email address should can sponsor the guest access. Make a test with your sponsor user to see if the "Admin_Sponsor" rule match: #v+ pftest authentication YOUR_SPONSOR_USER_ID '' Admin_Sponsor #v- In the output, you should see if your sponsor user match the rule and is able to sponsor. -- Nicolas Quiniou-Briand n...@inverse.ca :: +1.514.447.4918 *140 :: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Finverse.ca&data=02%7C01%7Chelen_power%40resourcepro.com%7Cde7c828ba9d743f4489408d70fa67edb%7C096fa2b2af5c42ec867e7a63ad92dc95%7C0%7C0%7C636995080089701523&sdata=SPsGndizpf0JPyqKEEqyMcOfuxDE6wIEfMJuWC9ExHs%3D&reserved=0 Inverse inc. :: Leaders behind SOGo (https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsogo.nu&data=02%7C01%7Chelen_power%40resourcepro.com%7Cde7c828ba9d743f4489408d70fa67edb%7C096fa2b2af5c42ec867e7a63ad92dc95%7C0%7C0%7C636995080089701523&sdata=22daHDMxiTyCLYRGvk6M1aI3tLwlWQ4Ud3MPMjtqDJ4%3D&reserved=0), PacketFence (https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpacketfence.org&data=02%7C01%7Chelen_power%40resourcepro.com%7Cde7c828ba9d743f4489408d70fa67edb%7C096fa2b2af5c42ec867e7a63ad92dc95%7C0%7C0%7C636995080089701523&sdata=82vurVucopZKSoNQOfRL1f36RLdJ%2BhOvcLS6GVCkKEo%3D&reserved=0) and Fingerbank (https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Ffingerbank.org&data=02%7C01%7Chelen_power%40resourcepro.com%7Cde7c828ba9d743f4489408d70fa67edb%7C096fa2b2af5c42ec867e7a63ad92dc95%7C0%7C0%7C636995080089701523&sdata=n%2B9jusgtbU%2FilF8LaTtsg%2FZztrjxzoBMo0lJsBVyM4M%3D&reserved=0) _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=02%7C01%7Chelen_power%40resourcepro.com%7Cde7c828ba9d743f4489408d70fa67edb%7C096fa2b2af5c42ec867e7a63ad92dc95%7C0%7C0%7C636995080089701523&sdata=PR7bX6UyJeoB1IoJ92%2FP5XUk8EWifqJaoT0vi5njZO4%3D&reserved=0 This email (including any attachments) contains confidential information intended for a specific individual and purpose. If you have received this email in error please notify the sender immediately and delete this e-mail. If you are not the intended recipient any disclosing, distributing, copying, or taking any action based on this e-mail is strictly prohibited. ReSource Pro, LLC. 60 E 42nd Street, Suite 1500 New York, NY 10165 https://nam04.safelinks.protection.outlook.com/?url=www.resourcepro.com&data=02%7C01%7Chelen_power%40resourcepro.com%7Cde7c828ba9d743f4489408d70fa67edb%7C096fa2b2af5c42ec867e7a63ad92dc95%7C0%7C0%7C636995080089701523&sdata=dgPPP5BPsq10VqAbperRHKxS6FOTCR5KeYpMFohQjsA%3D&reserved=0 _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=02%7C01%7Chelen_power%40resourcepro.com%7Cde7c828ba9d743f4489408d70fa67edb%7C096fa2b2af5c42ec867e7a63ad92dc95%7C0%7C0%7C636995080089701523&sdata=PR7bX6UyJeoB1IoJ92%2FP5XUk8EWifqJaoT0vi5njZO4%3D&reserved=0 This email (including any attachments) contains confidential information intended for a specific individual and purpose. If you have received this email in error please notify the sender immediately and delete this e-mail. If you are not the intended recipient any disclosing, distributing, copying, or taking any action based on this e-mail is strictly prohibited. ReSource Pro, LLC. 60 E 42nd Street, Suite 1500 New York, NY 10165 www.resourcepro.com _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
