Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1330: Unable to login via ssh when a user account exists on the local machine and in Active Directory

Centrify DirectControl ,  

12 April,16 at 10:57 AM

Applies to: All versions of Centrify DirectControl on AIX with stock OpenSSH or Centrify-enabled OpenSSH
 
Problem:
 
When a user account exists both locally and in Active Directory (AD), authentication via ssh fails error messages in the debug log similar to this:
 
debug3: AIX/setauthdb set registry 'CENTRIFYDC' 
debug1: Writing Uid 100114 successfully 
debug3: aix_restoreauthdb: restoring old registry '' 
debug1: permanently_set_uid: 1035/1 
setuid 1035: Operation not permitted. 
 
Cause:
 
For AIX systems running stock OpenSSH:
 
This is a problem with OpenSSH on AIX. The registry setting is set to root's registry most of the time, so some of the NSS-type operations inside sshd are confused when an AD user also exists locally with mismatching UIDs/GIDs. 
 
 
For AIX systems running Centrify-enabled OpenSSH:
 
Centrify-enabled OpenSSH is not impacted by the same problem as stock OpenSSH however if the UID or GID don't match it will still cause an issue.
 
 
Solution:
 
For AIX systems running stock OpenSSH:
 
1) Match the AD user's UID and GID with the local account or vice versa

2) Start the stock openssh with the registry set to CENTRIFYDC. For non-AD accounts, the authentication will fall back to compat or files. Copy the attached script to the machine in question and run "sh mk_sshd_wrapper.sh".
 
This script does the following:
 
a) moves the /usr/sbin/sshd to /usr/sbin/sshd.bin 

b) creates /usr/sbin/sshd with the following contents: 
 
#!/bin/sh 
export AUTHSTATE=CENTRIFYDC 
/usr/sbin/sshd.bin 
 
ie, it starts up sshd with the CENTRIFYDC registry. 
 
 
For AIX systems running Centrify-enabled OpenSSH:
 
Although Centrify-enabled OpenSSH is not impacted by the same problem as stock OpenSSH you still need to do one of the following to ensure AD user can login when a matching local account exists:
 
1) Match the AD user's UID and GID with the local account or vice versa
 
or 
 
2) Remove the local account
 
Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles