Hi Michael.
Thanks for getting back to me with your very informative reply, hope it's ok to reply to the list seeing as though we're already going.
I've tried the logoff process without success, my AD account is still not listed as a sysop
I did however find " PAC not found in Kerberos ticket" in the plexcel.log file but am unsure of how i can correct this problem.
Hope you can help.
Regards Sam
On Tue, Oct 14, 2008 at 5:11 PM, Michael B Allen ioplex@gmail.com wrote:
On Mon, Oct 13, 2008 at 10:48 PM, Sam Ami persip@gmail.com wrote:
hi all
i'm having an issue with plexcel or mediawiki, not sure which of the two.
i've successfully setup plexcel to perform sso and all is working well, no issues at all, all our domain users can sso perfectly
the only issue i've found is with the below groupMap statement i've added to LocalSettings.php
$wgAuth->groupMap = array( 'OURDOMAIN\wiki-admin' => 'sysop', );
regardless of weather on not i place myself in the "OURDOMAIN\wiki-admin" i still do not get sysop status on the wiki.
is there any way i can check this or force mediawiki to do a gpupdate equivalent ?
Hi Sam,
First, since the Plexcel PHP extension is a commercial product you should contact IOPLEX Software support directly in the future. Even if you're just using the < 25 users for free we're happy to help. However, I will reply here for this message.
ANSWER: Log off of the workstation and back on. That'll fix it.
Whenever you add (or remove) someone from a Windows group, that someone must logoff and back on to reinitialize their security token (although in the case of Plexcel, technically you can achieve the same effect by purging your Kerberos tickets using kerbtray.exe). If SSO is used, there is no communication with the domain controller. Groups are extracted directly from the Kerberos ticket. So you must refresh that ticket whenever you make changes to group memberships. Windows has always been that way and it's actually very important for performance reasons. This is why Plexcel access checks are so fast.
Also, because the MW groups are only updated when the user's HTTP session is initialized, you will also need to logoff and back on to MW. Of course if the user logs out of their workstation they will have also restarted their browser which will have reinitialized their HTTP session but I'm adding this bit for the benefit of *nix users who might be using kinit with Firefox and such.
Finally, make sure the groups you are entering into LocalSettings.php are resolving properly. Whenever you make changes to LocalSettings.php regarding Plexcel you should always tail -f plexcel.log for a while. If a group name is not found you will see an error to that effect in the log file.
See the Plexcel MediaWiki Plugin Manual for details.
Mike
-- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l