Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 4
Registered: ‎09-17-2018
#1 of 9 1,592

Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

adinfo shows:

CentrifyDC mode: connected
Licensed Features: Enabled

 

If I do:

ID cnoyes  (my user) it returnes correct AD information.

 

/var/log/secure shows:

Invalid user DOMAIN\\cnoyes from vpn-ip
input_userauth_request: invalid user DOMAIN\\cnoyes
pam_unix(sshd:auth): check pass; user unknown
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=vpn-ip
pam_succeed_if(sshd:auth): error retrieving information about user domain\cnoyes
Failed password for invalid user DOMAIN\\cnoyes from vpn-ip port 58498 ssh2
Connection closed by vpn-ip

 

The wierd thing is I have another server that was cloned from this server that works fine.

the difference I see if I compare adinfo -diag information with the cloned system is this:

 

BAD SYSTEM

Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023

 

GOOD SYSTEM

Init context: system_u:system_r:init_t:s0
/sbin/mingetty system_u:system_r:getty_t:s0
/usr/sbin/sshd system_u:system_r:sshd_t:s0-s0:c0.c1023

 

Can anyone help me troubleshoot SSHD?

Centrify Contributor II
Centrify Contributor II
Posts: 22
Registered: ‎11-18-2013
#2 of 9 1,573

Re: Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

[ Edited ]

Hi @ChuckNo,

 

Welcome to Centrify Community!

 

 

We will need to collect more debugging information for troubleshooting. 

 

Thank you!

Amy

Participant II
Posts: 4
Registered: ‎09-17-2018
#3 of 9 1,565

Re: Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

Can you link me to that ticket please?
Centrify Advisor IV
Posts: 81
Registered: ‎02-18-2015
#4 of 9 1,543

Re: Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

[ Edited ]

Hi @ChuckNo,

 

Amy had replied yesterday via email of this registered account. Could you help to check if you receive it? The sender should be Centrify Technical Support. Please let us know in case you do not receive it. If you did receive it, you can simply reply the email and it will trigger us an update. Thank you!

 

Regards,

Albert

Participant II
Posts: 4
Registered: ‎09-17-2018
#5 of 9 1,529

Re: Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

This is a proof of concept for us. I'm using Centrify Express, I'm not a registered account (yet).

 

I believe I posted this in the community support forum?

Anyway I don't think I have access to see that ticket

And since I'm not a registered account, I don't get those emails.

Centrify Contributor II
Centrify Contributor II
Posts: 22
Registered: ‎11-18-2013
#6 of 9 1,502

Re: Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

Hi @ChuckNo

 

The provided log snippet indicates the user name is invalid, could you please check if this is the same username format you used on other working servers? Is this server joined to the same AD domain and Centrify zone like other servers?

 

To further investigate this issue, please find the debugging steps below and collect the required log files. 

Plesae send the files to our DL address communitysupport@centrify.com. 

 

Please check the debugging steps below and collect the log files from the problematic server.

========== On SSH server ===========
1, Based on the adinfo --diag output this server is running with stock OpenSSH.


If its stock SSH, it should look like this when running command '#ps -ef | grep sshd':
root 12427 1 0 Feb15 00:00:04 /usr/sbin/sshd

2, Enable debug 3 for SSH issue on SSH server and enable Centrify Debug mode
a) Modify the sshd_config file to uncomment and change the values from:

#SyslogFacility AUTH
#LogLevel INFO

To:

SyslogFacility AUTH
LogLevel DEBUG3

b) Save the changes

c) Restart OpenSSHd from the /etc/init.d script

d) Enable Centrify debug mode by running

#/usr/share/centrifydc/bin/addebug on
#/usr/share/centrifydc/bin/addebug clear

Make sure /var/log/centrifydc.log is growing in size.

e) Please run the following commands to get basic information for user

# adquery user AD_User_Name -A > /tmp/adquery_user.txt
# dzinfo AD_User_Name -A > /tmp/dainfo.txt

3, Start sshd in debug mode, using full path, specifying a different port number like say 2022, and the following options:

#/usr/sbin/sshd –ddde –p 2022 > sshd.log 2>&1


========== Please go to SSH client ===========

4, Please reproduce the ssh issue from client side by running:
$ ssh -vvv -p 2022 AD_User_Name@Server_Name
Please save the output into a file, e.g. ssh_output.txt

========== Please go back to SSH server ===========

5, Please disable debug mode
#/usr/share/centrifydc/bin/addebug off
#adinfo –t [AD_domain_name]

(Depending on how large the AD environment is, this may take a long time to return to prompt and so please stop with Ctrl+C once it is felt the issue has been captured.)

6, Please reverse the changes related to Debug3 in step 2 back.


We need the following files:
a) /tmp/dzinfo.txt and /tmp/adquery_user.txt from ssh server in step 2

b) /tmp/sshd.log from the ssh server in step 3

c) ssh_output.txt from ssh client in step 4

d) sshd_config from ssh server

e) /var/centrify/tmp/adinfo_support.tar.gz from ssh server

 

 

Thanks,

Amy

Participant II
Posts: 4
Registered: ‎09-17-2018
#7 of 9 1,489

Re: Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

I emailed the requested logs.

 

Since running sshd manually on port 2022 worked, I ran it again on port 22. And it worked.

I included sshd logs and the verbose ssh connection output from both.

 

If I start the sshd service again it fails.  I included the verbose ssh connection output for that as well.

 

So Centrify is working fine, this must be a SSHD issue.

How is the normal operation of SSHD different from the manual process you had me run?

Centrify Contributor II
Centrify Contributor II
Posts: 22
Registered: ‎11-18-2013
#8 of 9 1,143

Re: Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

@ChuckNo

We did not hear from you since last syn-up. 

As discsused with Fel this issue is weird as it is verifed during the debugging steps it only occurs when you start sshd through initd. If you start sshd manually then logon works. Our recommendation is to re-install SSHD.

 

Please let us know if issue persists after re-installation. 

 

Thanks,

Amy

Participant I
Posts: 1
Registered: ‎10-18-2018
#9 of 9 1,134

Re: Centrify Express 5.4.3-887 can't SSH. Only on 1 out of 45 servers.

I apologize Amy, since this seems specific to this very old system we have decided to replace it instead of spending any more time troubleshooting it.
We are going to clone another system and reconfigure.

Thanks for all your help.

Chuck