Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.
09-17-2018 09:01 AM
CentrifyDC mode: connected
Licensed Features: Enabled
If I do:
ID cnoyes (my user) it returnes correct AD information.
Invalid user DOMAIN\\cnoyes from vpn-ip
input_userauth_request: invalid user DOMAIN\\cnoyes
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn-ip
pam_succeed_if(sshd:auth): error retrieving information about user domain\cnoyes
Failed password for invalid user DOMAIN\\cnoyes from vpn-ip port 58498 ssh2
Connection closed by vpn-ip
The wierd thing is I have another server that was cloned from this server that works fine.
the difference I see if I compare adinfo -diag information with the cloned system is this:
Init context: system_u:system_r:init_t:s0
Init context: system_u:system_r:init_t:s0
Can anyone help me troubleshoot SSHD?
09-18-2018 09:53 PM
Welcome to Centrify Community!
We will need to collect more debugging information for troubleshooting.
09-19-2018 09:09 AM
Amy had replied yesterday via email of this registered account. Could you help to check if you receive it? The sender should be Centrify Technical Support. Please let us know in case you do not receive it. If you did receive it, you can simply reply the email and it will trigger us an update. Thank you!
09-19-2018 10:30 AM
This is a proof of concept for us. I'm using Centrify Express, I'm not a registered account (yet).
I believe I posted this in the community support forum?
Anyway I don't think I have access to see that ticket
And since I'm not a registered account, I don't get those emails.
09-20-2018 01:29 AM
The provided log snippet indicates the user name is invalid, could you please check if this is the same username format you used on other working servers? Is this server joined to the same AD domain and Centrify zone like other servers?
To further investigate this issue, please find the debugging steps below and collect the required log files.
Plesae send the files to our DL address email@example.com.
Please check the debugging steps below and collect the log files from the problematic server.
========== On SSH server ===========
1, Based on the adinfo --diag output this server is running with stock OpenSSH.
If its stock SSH, it should look like this when running command '#ps -ef | grep sshd':
root 12427 1 0 Feb15 00:00:04 /usr/sbin/sshd
2, Enable debug 3 for SSH issue on SSH server and enable Centrify Debug mode
a) Modify the sshd_config file to uncomment and change the values from:
b) Save the changes
c) Restart OpenSSHd from the /etc/init.d script
d) Enable Centrify debug mode by running
Make sure /var/log/centrifydc.log is growing in size.
e) Please run the following commands to get basic information for user
# adquery user AD_User_Name -A > /tmp/adquery_user.txt
# dzinfo AD_User_Name -A > /tmp/dainfo.txt
3, Start sshd in debug mode, using full path, specifying a different port number like say 2022, and the following options:
#/usr/sbin/sshd –ddde –p 2022 > sshd.log 2>&1
========== Please go to SSH client ===========
4, Please reproduce the ssh issue from client side by running:
$ ssh -vvv -p 2022 AD_User_Name@Server_Name
Please save the output into a file, e.g. ssh_output.txt
========== Please go back to SSH server ===========
5, Please disable debug mode
#adinfo –t [AD_domain_name]
(Depending on how large the AD environment is, this may take a long time to return to prompt and so please stop with Ctrl+C once it is felt the issue has been captured.)
6, Please reverse the changes related to Debug3 in step 2 back.
We need the following files:
a) /tmp/dzinfo.txt and /tmp/adquery_user.txt from ssh server in step 2
b) /tmp/sshd.log from the ssh server in step 3
c) ssh_output.txt from ssh client in step 4
d) sshd_config from ssh server
e) /var/centrify/tmp/adinfo_support.tar.gz from ssh server
09-20-2018 11:21 AM
I emailed the requested logs.
Since running sshd manually on port 2022 worked, I ran it again on port 22. And it worked.
I included sshd logs and the verbose ssh connection output from both.
If I start the sshd service again it fails. I included the verbose ssh connection output for that as well.
So Centrify is working fine, this must be a SSHD issue.
How is the normal operation of SSHD different from the manual process you had me run?
10-17-2018 09:51 PM
We did not hear from you since last syn-up.
As discsused with Fel this issue is weird as it is verifed during the debugging steps it only occurs when you start sshd through initd. If you start sshd manually then logon works. Our recommendation is to re-install SSHD.
Please let us know if issue persists after re-installation.
10-18-2018 06:33 AM
We are going to clone another system and reconfigure.
Thanks for all your help.