All versions of Centrify DirectControlProblem:
Users are denied access when trying to login via SSH. The following message is seen in the ssh debug logs:
User <user_name> not allowed because none of user's groups are listed in AllowGroups
OpenSSH’s configuration file is sshd_config. If using Centrify-Enabled OpenSSH, the path is /etc/centrifydc/ssh/sshd_config
By default, the AllowGroups
parameter does not exist in sshd_config, but is a valid parameter.
If added in sshd_config with a space-delimited list of groups, SSH login access is restricted to users who are members of the group(s).
AllowGroups <unix_group_1> <unix_group_2> … <unix_group_n>
Not having AllowGroups
parameter in the sshd_config file will allow all users to log in.Resolution:
Either remove or remark the AllowGroups
parameter in the sshd_config file or add the necessary groups that the AD users are a member to the AllowGroups
parameter of to allow them to login.
After making the changes and saving the sshd_config file, restart the sshd agent for those settings to take affect./etc/init.d/centrify-sshd restartNote:
See “man sshd_config” for all known parameters.
See also the following KBs:KB-5452: How to enable debug for PuTTy / SSH clients?KB-1698: Troubleshooting Single Sign On (SSO) issuesKB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO?