Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3705: Cannot login AD user via SSH (not listed in AllowGroups)

Authentication Service ,  

3 March,17 at 09:01 PM

Applies To:

All versions of Centrify DirectControl


Problem:

Users are denied access when trying to login via SSH. The following message is seen in the ssh debug logs:
 
User <user_name> not allowed because none of user's groups are listed in AllowGroups


Cause:

OpenSSH’s configuration file is sshd_config. If using Centrify-Enabled OpenSSH, the path is /etc/centrifydc/ssh/sshd_config.

By default, the AllowGroups parameter does not exist in sshd_config, but is a valid parameter.

If added in sshd_config with a space-delimited list of groups, SSH login access is restricted to users who are members of the group(s).
 
AllowGroups <unix_group_1> <unix_group_2> … <unix_group_n>

Not having AllowGroups parameter in the sshd_config file will allow all users to log in.


Resolution:
 
Either remove or remark the AllowGroups parameter in the sshd_config file or add the necessary groups that the AD users are a member to the AllowGroups parameter of to allow them to login.

After making the changes and saving the sshd_config file, restart the sshd agent for those settings to take affect.

/etc/init.d/centrify-sshd restart


Note:
See “man sshd_config” for all known parameters.

See also the following KBs:
KB-5452: How to enable debug for PuTTy / SSH clients?
KB-1698: Troubleshooting Single Sign On (SSO) issues
KB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO?
 

Related Articles

 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleHOWTO: Perform a manual migration of local groups (/etc/group) to Active Directory articleKB-6041: How to show current license type in use by adclient articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[TIPS] A Centrify Server Suite Cheat Sheet article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I