Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6349: Some Versions of AIX 7.1 (TL0-SP0) SSHD Willl Not Allow Login When Direct Audit Is Enabled

10 March,17 at 05:26 PM

Applies to: Direct Audit Suite 2015.1 and 2016 on some AIX 7.1(TL0-SP0)

Problem: 
Local users are unable to login via ssh on some AIX 7.1 (TL0-SP0) hosts when stock ssh is installed and Direct Audit is enabled.

Example:
#ssh myaixmachine -l localuser localuser@myaixmachine's password: Connection to myaixmachine closed by remote host. Connection to myaixmachine closed.

In the Centrify sshd debug trace messages such as these appear:
debug3: AIX SYSTEM attribute CENTRIFYDC OR (CENTRIFYDC[NOTFOUND] AND ((CENTRIFYDALOCAL AND (compat)) OR (CENTRIFYDALOCAL[NOTFOUND] AND (compat)))) 
debug3: do_getpwnam_aix: unable to getauthdb as no setauthdb called previously, ignoring ...... 
debug2: aix_getauthmethods: Return auth methods 'CENTRIFYDC' for getpwuid/getpwnam 
debug2: aix_getauthmethods: Return auth methods 'CENTRIFYDALOCAL' for getpwuid/getpwnam 
debug3: do_getpwnam_aix: AIX/setauthdb set registry 'CENTRIFYDC' 
debug3: do_getpwnam_aix: AIX/found user locutus with registry 'CENTRIFYDC' 
debug3: aix_registry: AIX/getuserattr get user registry 'CENTRIFYDC' 
debug3: AIX/setauthdb set registry 'CENTRIFYDC'

In the stock sshd debug trace message such as these appear:
debug3: AIX SYSTEM attribute CENTRIFYDC OR (CENTRIFYDC[NOTFOUND] AND ((CENTRIFYDALOCAL AND (compat)) OR (CENTRIFYDALOCAL[NOTFOUND] AND (compat)))) 
debug3: AIX/setauthdb set registry 'CENTRIFYDALOCAL' Centrify modifies sshd to run through the auth methods and correctly picked CENTRIFYDC. Note CENTRIFYDALOCAL does not perform authentication. Thus, the authentication fails.
 
Cause:
The root cause is that the stock sshd does not set authdb correctly.
 
Resolution:
This is a known issue.  AIX O/S (TL0-SP0) sshd does not work with Centrify.  The recommendation from Centrify is to use Centrify sshd.
 
Notes:
1. This issue does not exist for Active Directory users and “root”.
2. This issue does not exist when Direct Audit auditing is disabled
3. This issue does not exist on AIX 6.1(TL2-SP1) and AIX 7.1(TL3-SP3)​

Related Articles

 article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6041: How to show current license type in use by adclient articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer?