Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2472: AD user unable to attempt ssh to stock openssh 3.9p1 as it returns invalid password.

Centrify DirectControl ,  

12 April,16 at 11:10 AM

Applies to: All versions of Centrify DirectControl and stock OpenSSH 3.9p1 (or earlier) on RedHat platforms.

Problem:

It is not possible to run ssh using an AD user account. An invalid password is returned even when a correct password is supplied. 
Local user accounts work fine. 

Is there any reason for this?

Snippets from logs.

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> dns.findkdc KDC locator for Yourcompany.com

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> base.aduser Error: get creds: Preauthentication failed for user user@Yourcompany.com (enctype: ArcFour with HMAC/md5)
... ...

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> base.osutil Module=Base : bad password (reference base/aduser.cpp:830 rc: 1030)

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient validate password caught exception: bad password

Mar  5 10:00:30 host adclient[7888]: WARN  <fd:24 PAMVerifyPassword> audit User 'user' not authenticated: bad password

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient doPAMVerifyPassword: user 'user' not OK: 1030 (Base)

Mar  5 10:00:30 host adclient[7888]: DEBUG <fd:24 PAMVerifyPassword> daemon.ipcclient Invalid password

However, adinfo -A user Yourcompany.com -S host.Yourcompany.com shows that the password is correct.
In the network trace, both ArcFour and UPN authentications were tried and both authentications went through host.Yourcompany.com 10.160.12.13.


Cause:

It is the AllowGroups directive in SSHd_config. Stock OpenSSH 3.9p1 uses a different way to handle the “AllowGroups” directive. 
Please refer to the man pages of SSHd_config for more details on this directive.

Workaround:

Add the AD user to the group defined in the “AllowGroups” directive and restart SSHd on the Linux server.

OR

Upgrade the OpenSSH package to the latest version.

Resolution:

None. This issue is specific to the stock OpenSSH 3.9p1-8 distributed with Red Hat Enterprise Linux 4.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-3925: How to add Centrify parameter to a group policy articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?