Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2370: "Account cannot be accessed at this time"

Authentication Service ,  

12 April,16 at 11:07 AM

Applies to: All versions of Centrify DirectControl.

 
Question:
 
SSH closes connection for just one user. All other users can SSH fine. 
 
adinfo shows that the agent is connected. 
adquery user -A [username] shows the user is zone enabled. 
dzinfo shows the user has the correct roles/rights.
 
Example:
 
emcappd07% ssh -K emcappd02.us.yourdomain.com 
Account cannot be accessed at this time. 
 
Please contact your system administrator. 
Connection closed by 10.1.2.3
 
# dzinfo vnxt3180 
Zone Status: DirectAuthorize is enabled 
User: vnxt3180 
Forced into restricted environment: No 
 
Role Name Avail Restricted Env 
--------------- ----- -------------- 
runas_plmadm Yes None 
 
 
PAM Application Avail Source Roles 
--------------- ----- -------------------- 
(vnxt3180 can use any pam application) 
 
 
Privileged commands: 
Name Avail Command Source Roles 
--------------- ----- -------------------- -------------------- 
runas_plmadm Yes * runas_plmadm 
 
emcappd02# su vnxt3180 
emcappd02% exit 
emcappd02% emcappd02# su - vnxt3180 
Sun Microsystems Inc. SunOS 5.10 Generic January 2005 
emcappd02% 
 
 
Is there any reason for this?

 
Answer:
 
The error message is generic and can mean many things. 
The best way to troubleshoot is to run Centrify debug or a SSH trace. 
 
In this example, the debug logs show that the user could not SSH because his AD account was not allowed to login to the workstation in question: 
 
Apr 5 15:42:30 emcappd02 adclient[11570]: [ID 702911 auth.debug] DEBUG <fd:25 PAMIsUserAllowedAccess> adclient.pam.util allowed workstations: 'Emcappd04,Emcappd07,us194dc00,usy90dc01,gbrv3dc01,jpd91dc00,cne33dc00,us194dc01,usy90dc02,gbd04dc02,jpdc91dc01,cne33dc01,ded89dc02,cng83dc00' host: 'EMCAPPD02' 
 
Apr 5 15:42:30 emcappd02 adclient[11570]: [ID 702911 auth.debug] DEBUG <fd:25 PAMIsUserAllowedAccess> base.osutil Module=Base : User 'vnxt3180' denied access to workstation. (reference ipcclient2.cpp:1564 rc: 0) 
 
Apr 5 15:42:30 emcappd02 adclient[11570]: [ID 702911 auth.debug] DEBUG <fd:20 sshd(14834)> Error message to user: 'Account cannot be accessed at this time. 
 
Once this user's access was enabled (as shown in the screenshot below) SSH worked fine.

logon on settings in properties of a AD user in Active directory users and computers
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-11752: sudo Command Generates Validation Failure With Message "Account cannot be accessed at this time" articleKB-1983: Is it possible to customize the message "Account cannot be accessed at this time" articleKB-11086: What does 'userWorkstations' mean in adquery user -A output? articleKB-1689: Cannot 'su -' when using DirectAuthorize article[Labs] Using Centrify+AD+YubiKey to secure UNIX/Linux access with Strong Authentication articleKB-3376: How to limit a user to access to only one particular machine in Classic Zone