• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • Ubuntu 10.04, installed from apt-get

      Fresh install of Jenkins through apt-get. Installed and configured the Active Directory plugin. If I add a user directly into the security matrix they can log in fine. If I add a group then when that user logs in they get a 404 error and in the jenkins.log file we see ...

      May 11, 2012 8:48:05 AM hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider resolveGroups
      WARNING: Failed to retrieve tokenGroups for CN=John Smith,OU=Department,OU=Company Users,DC=DomainName,DC=local

          [JENKINS-13750] Failed to retrieve tokenGroups

          Still happening on Jenkins 1.580.1 using Active Directory Plugin 1.39.

          Giacomo Boccardo added a comment - Still happening on Jenkins 1.580.1 using Active Directory Plugin 1.39.

          Helder Magalhães added a comment - - edited

          Jenkins: 1.644
          Active Directory plugin: 1.41

          I got here while investigating a few occurrences of these weird Failed to retrieve tokenGroups for ... warning messages.

          By comparing two users (myself and a user which triggers this message), it seems that the errors are caused by:

          • User which triggers the warning doesn't belong to any groups (which would then be considered a false warning and therefore, in this case, should be silenced IMHO)
          • Domain is configured in a way that me (nor Jenkins) don't have permissions to list the tokenGroups (somehow unlikely given other attributes are being correctly retrieved)

          Unfortunately my Active Directory knowledge doesn't allow me to go much further. If a set of simple checks can be made, though, please provide a set of commands and I (and maybe other users seeing this "issue") will try to run and provide their output.

          I've seen the code pointing at JENKINS-11644 but that issue is fixed for a long time... Maybe the comment in the code should be updated (for this issue or removed?).

          Helder Magalhães added a comment - - edited Jenkins: 1.644 Active Directory plugin: 1.41 I got here while investigating a few occurrences of these weird Failed to retrieve tokenGroups for ... warning messages. By comparing two users (myself and a user which triggers this message), it seems that the errors are caused by: User which triggers the warning doesn't belong to any groups (which would then be considered a false warning and therefore, in this case, should be silenced IMHO) Domain is configured in a way that me (nor Jenkins) don't have permissions to list the tokenGroups (somehow unlikely given other attributes are being correctly retrieved) Unfortunately my Active Directory knowledge doesn't allow me to go much further. If a set of simple checks can be made, though, please provide a set of commands and I (and maybe other users seeing this "issue") will try to run and provide their output. I've seen the code pointing at JENKINS-11644 but that issue is fixed for a long time... Maybe the comment in the code should be updated (for this issue or removed?).

          James Nord added a comment -
          ldapsearch -LLL -H ldap://your_ad_server:3268 -b "YOUR_ROOT_DC" -D _yourbinduser_ -W ./pass.txt "(& (userPrincipalName=_yourupn_))(objectCategory=user))"
          

          then from the CN that is returned...

          ldapsearch -LLL -H ldap://10.0.70.10:3268 -b "_DN_FROM_ABOVE_SEARCH_" -D binduser -W -s base tokenGroups memberOf CN
          

          Your root dc will be something like DC=example,DC=com if your domain was example.com
          yourbinduser will be specific to your env - but you can just try with your username.
          yourupn will be something like loginname@example.com if your username was loginname and domain was example.com

          The second command should return the tokenGroups that the user is a member of as a base64 encoded SID. It's not important what the contents are here, but more that you do or do not get any.

          James Nord added a comment - ldapsearch -LLL -H ldap://your_ad_server:3268 -b "YOUR_ROOT_DC" -D _yourbinduser_ -W ./pass.txt "(& (userPrincipalName=_yourupn_))(objectCategory=user))" then from the CN that is returned... ldapsearch -LLL -H ldap://10.0.70.10:3268 -b "_DN_FROM_ABOVE_SEARCH_" -D binduser -W -s base tokenGroups memberOf CN Your root dc will be something like DC=example,DC=com if your domain was example.com yourbinduser will be specific to your env - but you can just try with your username. yourupn will be something like loginname@example.com if your username was loginname and domain was example.com The second command should return the tokenGroups that the user is a member of as a base64 encoded SID. It's not important what the contents are here, but more that you do or do not get any.

          James Nord added a comment -

          Domain is configured in a way that me (nor Jenkins) don't have permissions to list the tokenGroups (somehow unlikely given other attributes are being correctly retrieved)

          if you are using a server that is not using the global catalogue then you will see this error (ie if you specify a server like server:389}.

          The log is suppressed in https://github.com/jenkinsci/active-directory-plugin/pull/38

          James Nord added a comment - Domain is configured in a way that me (nor Jenkins) don't have permissions to list the tokenGroups (somehow unlikely given other attributes are being correctly retrieved) if you are using a server that is not using the global catalogue then you will see this error (ie if you specify a server like server:389 }. The log is suppressed in https://github.com/jenkinsci/active-directory-plugin/pull/38

            Unassigned Unassigned
            cdavoll Corey Davoll
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: