Can Authentication Services work with Active Directory Distribution Groups? Users lose group membership after logging in.
No, Distribution Groups are not security enabled so do not appear in the users TokenGroups/PAC (Privilege Attribute Certificate) membership. However due to the way a vastool flush works distribution groups may be initially be cached. This group membership will be removed when a user logs on, or after a incremental cache update.
[root]# /opt/quest/bin/vastool flush ; id karl
Caching Schema... OK
Caching Users... OK
Mapping mapped users ... OK
Processing user overrides... OK
Caching Groups... OK
Processing group overrides... OK
Caching Srvinfo... OK
Caching Netgroups... OK
uid=2080835909(karl) gid=1000(defaultgroup) groups=1000(defaultgroup),1111111(distributiongroup),222222(securitygroup)
sh-3.00$ su karl
sh-3.00$ id karl
uid=2080835909(karl) gid=1000(defaultgroup) groups=1000(defaultgroup),222222(securitygroup)
Note that this also applies to Authentication Services access control groups. The groups in users allow / deny have to be Security Groups for the same reason. Distribution Groups are not security enabled so do not appear in the users TokenGroups/PAC membership.
Authentication Services uses the membership information of the users PAC for access control, and if the group is not in the PAC, Authentication Services will very likely not see it and deny the user.
Change the distribution into a security group.
You can check the type of a group by checking the groupType attribute.
2 = Global scope - Distribution Group
2147483646 = Global Scope - Security Group
4 = Domain Local Scope - Distribution Group
2147483644 = Domain Local Scope - Security Group
8 = Universal Scope - Distribution group
2147483640 = Universal Scope - Security Group
# /opt/quest/bin/vastool -u host/ attrs -g
[root]# /opt/quest/bin/vastool -u host/ attrs -g distributiongroup groupType
[root]# /opt/quest/bin/vastool -u host/ attrs -g securitygroup groupType