12 April,16 at 11:10 AM
Applies to: All versions of Centrify DirectControl and stock OpenSSH 3.9p1 (or earlier) on RedHat platforms.
Problem:
It is not possible to run ssh using an AD user account. An invalid password is returned even when a correct password is supplied.
Local user accounts work fine.
Is there any reason for this?
Snippets from logs.
Mar 5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> dns.findkdc KDC locator for Yourcompany.com
Mar 5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> base.aduser Error: get creds: Preauthentication failed for user user@Yourcompany.com (enctype: ArcFour with HMAC/md5)
... ...
Mar 5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> base.osutil Module=Base : bad password (reference base/aduser.cpp:830 rc: 1030)
Mar 5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient validate password caught exception: bad password
Mar 5 10:00:30 host adclient[7888]: WARN <fd:24 PAMVerifyPassword> audit User 'user' not authenticated: bad password
Mar 5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient doPAMVerifyPassword: user 'user' not OK: 1030 (Base)
Mar 5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient Invalid password
However, adinfo -A user Yourcompany.com -S host.Yourcompany.com shows that the password is correct.
In the network trace, both ArcFour and UPN authentications were tried and both authentications went through host.Yourcompany.com 10.160.12.13.
Cause:
It is the AllowGroups directive in SSHd_config. Stock OpenSSH 3.9p1 uses a different way to handle the “AllowGroups” directive.
Please refer to the man pages of SSHd_config for more details on this directive.
Workaround:
Add the AD user to the group defined in the “AllowGroups” directive and restart SSHd on the Linux server.
OR
Upgrade the OpenSSH package to the latest version.
Resolution:
None. This issue is specific to the stock OpenSSH 3.9p1-8 distributed with Red Hat Enterprise Linux 4.