Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3316: Tectia SSH is not authenticating AD users

Authentication Service ,  

12 April,16 at 11:43 AM

Applies to: All versions of Centrify DirectControl
 
Question:
 
AD users are continually challenged for password when using Tectia OpenSSH server. 
 
Even su to AD users fails. 
 
Is there any reason for this?
 
Answer:
 
Debug logs revealed that this issue was related to duplicate SPNs rather than Tectia OpenSSH. The ldapsearch command was used to verify the cause.
 
(1) 
Jul  8 16:13:20 osei5005 auth|security:debug adclient[512222]: DEBUG <fd:10 ssh-pam-proxy(569596)> client.ssh-pam-proxy Received PAM_AUTHTOK: PAM_SUCCESS(0)
Jul  8 16:13:20 osei5005 auth|security:debug adclient[512222]: DEBUG <fd:41 PAMVerifyPassword > dns.findkdc KDC locator for HOMEOFFICE.yourcompany.COM
...
Jul  8 16:13:20 osei5005 auth|security:warn|warning adclient[512222]: WARN  <fd:41 PAMVerifyPassword > base.aduser Can't find service host/osei5005.secure.yourcompany.com.  Run adinfo --diag to check for multiple computer accounts with the same SPN. Check that the local computer's Active Directory object's servicePrincipalName value has not been deleted.  Check for replication errors.
...
Jul  8 16:13:20 osei5005 auth|security:warn|warning adclient[512222]: WARN  <fd:41 PAMVerifyPassword > audit User 'pschnau' not authenticated: while getting service credentials: Server not found in Kerberos database
 
 
But krb5.keytab does show:
 
 
July 9 07/03/13 13:17:47 host/osei5005.secure.yourcompany.com@HOMEOFFICE.yourcompany.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
07/03/13 13:17:47 host/osei5005.secure.yourcompany.com@HOMEOFFICE.yourcompany.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
07/03/13 13:17:47 host/osei5005.secure.yourcompany.com@HOMEOFFICE.yourcompany.COM (ArcFour with HMAC/md5) 
07/03/13 13:17:47 host/osei5005.secure.yourcompany.com@HOMEOFFICE.yourcompany.COM (DES cbc mode with RSA-MD5) 
07/03/13 13:17:47 host/osei5005.secure.yourcompany.com@HOMEOFFICE.yourcompany.COM (DES cbc mode with CRC-32) 
 
 
This means there is a duplicate SPN.
 
(2) The following info was also noted in the debug log:
 
Jul  8 16:13:38 osei5005 auth|security:debug adclient[512222]: DEBUG <fd:41 PAMVerifyPassword > daemon.ipcclient cacheAuthFirst: System is not healthy
Jul  8 16:13:38 osei5005 auth|security:info adclient[512222]: INFO  <fd:41 PAMVerifyPassword > daemon.ipcclient System is in disconnected mode, user option PREFER_AD_LOGIN is ignored and try cache auth first.
...
Jul  8 16:13:38 osei5005 auth|security:debug adclient[512222]: DEBUG <fd:41 PAMVerifyPassword > util.except (NotFound) : No user hash in cache for pschnau (reference ipcclient.cpp:566 rc: 0)
...
 
The duplicate SPN also caused the system to go into disconnected mode. 
 
Steps to fix:
 
Do the following on another machine that is joined to the domain.
 
As root, run the following command:
 
  /usr/share/centrifydc/bin/ldapsearch -m -r "(serviceprincipalname=host/osei5005.secure.yourcompany.com*)" 
 
where osei5005 is the name of the Centrify server in question.
 
The below output was provided:
 
root@tstl5087:/u/data/cfg $ /usr/share/centrifydc/bin/ldapsearch -m -r "(serviceprincipalname=host/osei5005.secure.yourcompany.com*)"
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (serviceprincipalname=host/osei5005.secure.yourcompany.com*)
# requesting: ALL
# with pagedResults control: size=100
#
 
# osei5005, UNIX Servers, Unix, homeoffice.yourcompany.com
dn: CN=osei5005,OU=UNIX Servers,OU=Unix,DC=homeoffice,DC=yourcompany,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: osei5005
distinguishedName: CN=osei5005,OU=UNIX Servers,OU=Unix,DC=homeoffice,DC=yourcompany,DC=com
instanceType: 4
whenCreated: 20130702141711.0Z
whenChanged: 20130712142035.0Z
uSNCreated: 268457713
uSNChanged: 279701430
name: osei5005
objectGUID:: nPV7w2tPOkqCPU/H/rfSoA==
userAccountControl: 4096
codePage: 0
countryCode: 0
lastLogon: 130179862980566516
localPolicyFlags: 0
pwdLastSet: 130179682721133826
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAA3UnnXncfWH/cFu4SGoEIAA==
accountExpires: 9223372036854775807
logonCount: 8
sAMAccountName: osei5005$
sAMAccountType: 805306369
operatingSystem: AIX
operatingSystemVersion: 5.3
operatingSystemServicePack: CentrifyDC 5.1.0-497:Z:CDC
dNSHostName: osei5005.secure.yourcompany.com
servicePrincipalName: nfs/osei5005.secure.yourcompany.com
servicePrincipalName: nfs/osei5005
servicePrincipalName: http/osei5005.secure.yourcompany.com
servicePrincipalName: http/osei5005
servicePrincipalName: host/osei5005.secure.yourcompany.com
servicePrincipalName: host/osei5005
servicePrincipalName: ftp/osei5005.secure.yourcompany.com
servicePrincipalName: ftp/osei5005
servicePrincipalName: cifs/osei5005.secure.yourcompany.com
servicePrincipalName: cifs/osei5005
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=yourcompany,DC=com
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130181123509692580
 
# osei5005
CNF:1567331e-1ba4-4f10-94ce-5340dce878e2, UNIX Servers, Unix, homeoffice.yourcompany.com
dn: CN=osei5005\0ACNF:1567331e-1ba4-4f10-94ce-5340dce878e2,OU=UNIX Servers,OU=Unix,DC=homeoffice,DC=yourcompany,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn:: b3NlaTUwMDUKQ05GOjE1NjczMzFlLTFiYTQtNGYxMC05NGNlLTUzNDBkY2U4NzhlMg==
distinguishedName: CN=osei5005\0ACNF:1567331e-1ba4-4f10-94ce-5340dce878e2,OU=UNIX Servers,OU=Unix,DC=homeoffice,DC=yourcompany,DC=com
instanceType: 4
whenCreated: 20130702141559.0Z
whenChanged: 20130702142536.0Z
uSNCreated: 268460161
uSNChanged: 268465981
name:: b3NlaTUwMDUKQ05GOjE1NjczMzFlLTFiYTQtNGYxMC05NGNlLTUzNDBkY2U4NzhlMg==
objectGUID:: HjNnFaQbEE+UzlNA3Oh44g==
userAccountControl: 4096
codePage: 0
countryCode: 0
localPolicyFlags: 0
pwdLastSet: 130172481699742466
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAA3UnnXncfWH/cFu4StIsIAA==
accountExpires: 9223372036854775807
sAMAccountName: $DUPLICATE-88bb4
sAMAccountType: 805306369
operatingSystem: AIX
operatingSystemVersion: 5.3
dNSHostName: osei5005.secure.yourcompany.com
servicePrincipalName: cifs/$DUPLICATE-88bb4
servicePrincipalName: ftp/$DUPLICATE-88bb4
servicePrincipalName: host/$DUPLICATE-88bb4
servicePrincipalName: http/$DUPLICATE-88bb4
servicePrincipalName: nfs/$DUPLICATE-88bb4
servicePrincipalName: nfs/osei5005.secure.yourcompany.com
servicePrincipalName: http/osei5005.secure.yourcompany.com
servicePrincipalName: host/osei5005.secure.yourcompany.com
servicePrincipalName: ftp/osei5005.secure.yourcompany.com
servicePrincipalName: cifs/osei5005.secure.yourcompany.com
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=yourcompany,DC=com
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130172481686482211
 
# search result
search: 5
result: 0 Success
control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA=
 
# numResponses: 3
# numEntries: 2
 
 
In the above result, it shows two entries, this really means there is a duplicate SPN:
 
dn: CN=osei5005\0ACNF:1567331e-1ba4-4f10-94ce-5340dce878e2,OU=UNIX Servers,OU=Unix,DC=homeoffice,DC=yourcompany,DC=com
 
The duplicate SPN may have been as a result of a replication, leading to this issue. 
 
A) The duplicate SPN has to be removed using Microsoft's ADSIedit tool.
 
B) For the Tectia OpenSSH issue, the "double prompt for password" can be corrected by changing the Tectia server config to not do keyboard interactive auth so it goes straight to PAM instead of LAM.
 
 

Related Articles

 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-2472: AD user unable to attempt ssh to stock openssh 3.9p1 as it returns invalid password. articleKB-6041: How to show current license type in use by adclient articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-1994: How to authenticate Centrify users using SecurID tokens. articleKB-6056: How to report the group policy settings that are in effect for the local computer?