A new AD user is given UNIX login rights and is provisioned into Centrify. The account is flagged to “Change Password on First Login” but if the first login is a UNIX machine, the user isn't prompted to change the password. The login screen just closes.
Applies to: All supported versions of SSH on DirectControl in a one-way cross-forest environment.
Problem: A newly provisioned user opens putty and, using ssh, connects to a UNIX server which is joined to Active Directory using Centrify. The user logs in with the given credentials but then they are kicked out of the UNIX server with no error message.
Cause: The kerberos ports of the user's domain controller are closed so it is forcing authentication to go through NTLM. When using NTLM authentication in this type of network, Centrify doesn't support the password expiration-change sequence.
Resolution: Open the kerberos ports 88 and 464 on the user's domain controller.