Applies to: All versions of Centrify DirectControl.
Question:
SSH closes connection for just one user. All other users can SSH fine.
adinfo shows that the agent is connected.
adquery user -A [username] shows the user is zone enabled.
dzinfo shows the user has the correct roles/rights.
Example:
emcappd07% ssh -K emcappd02.us.yourdomain.com
Account cannot be accessed at this time.
Please contact your system administrator.
Connection closed by 10.1.2.3
# dzinfo vnxt3180
Zone Status: DirectAuthorize is enabled
User: vnxt3180
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
runas_plmadm Yes None
PAM Application Avail Source Roles
--------------- ----- --------------------
(vnxt3180 can use any pam application)
Privileged commands:
Name Avail Command Source Roles
--------------- ----- -------------------- --------------------
runas_plmadm Yes * runas_plmadm
emcappd02# su vnxt3180
emcappd02% exit
emcappd02% emcappd02# su - vnxt3180
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
emcappd02%
Is there any reason for this?
Answer:
The error message is generic and can mean many things.
The best way to troubleshoot is to run Centrify debug or a SSH trace.
In this example, the debug logs show that the user could not SSH because his AD account was not allowed to login to the workstation in question:
Apr 5 15:42:30 emcappd02 adclient[11570]: [ID 702911 auth.debug] DEBUG <fd:25 PAMIsUserAllowedAccess> adclient.pam.util allowed workstations: 'Emcappd04,Emcappd07,us194dc00,usy90dc01,gbrv3dc01,jpd91dc00,cne33dc00,us194dc01,usy90dc02,gbd04dc02,jpdc91dc01,cne33dc01,ded89dc02,cng83dc00' host: 'EMCAPPD02'
Apr 5 15:42:30 emcappd02 adclient[11570]: [ID 702911 auth.debug] DEBUG <fd:25 PAMIsUserAllowedAccess> base.osutil Module=Base : User 'vnxt3180' denied access to workstation. (reference ipcclient2.cpp:1564 rc: 0)
Apr 5 15:42:30 emcappd02 adclient[11570]: [ID 702911 auth.debug] DEBUG <fd:20 sshd(14834)> Error message to user: 'Account cannot be accessed at this time.
Once this user's access was enabled (as shown in the screenshot below) SSH worked fine.