Applies to: All versions of Centrify DirectControl and stock OpenSSH 3.9p1 (or earlier) on RedHat platforms.

Problem:

It is not possible to run ssh using an AD user account. An invalid password is returned even when a correct password is supplied. 
Local user accounts work fine. 

Is there any reason for this?

Snippets from logs.

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> dns.findkdc KDC locator for Yourcompany.com

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> base.aduser Error: get creds: Preauthentication failed for user user@Yourcompany.com (enctype: ArcFour with HMAC/md5)
... ...

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> base.osutil Module=Base : bad password (reference base/aduser.cpp:830 rc: 1030)

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient validate password caught exception: bad password

Mar  5 10:00:30 host adclient[7888]: WARN  <fd:24 PAMVerifyPassword> audit User 'user' not authenticated: bad password

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient doPAMVerifyPassword: user 'user' not OK: 1030 (Base)

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient Invalid password

However, adinfo -A user Yourcompany.com -S host.Yourcompany.com shows that the password is correct.
In the network trace, both ArcFour and UPN authentications were tried and both authentications went through host.Yourcompany.com 10.160.12.13.

Cause:

It is the AllowGroups directive in SSHd_config. Stock OpenSSH 3.9p1 uses a different way to handle the “AllowGroups” directive. 
Please refer to the man pages of SSHd_config for more details on this directive.

Workaround:

Add the AD user to the group defined in the “AllowGroups” directive and restart SSHd on the Linux server.

OR

Upgrade the OpenSSH package to the latest version.

Resolution:

None. This issue is specific to the stock OpenSSH 3.9p1-8 distributed with Red Hat Enterprise Linux 4.