Adquery appears to know who the user is:
adquery user -A bruce
dn:CN=bruce,CN=Users,DC=r#########n,DC=net
samAccountName:bruce
sid:S-1-5-21-662088380-377811889-2506711748-1112
userPrincipalName:bruce@R#########N.NET
canonicalName:r#########n.net/Users/bruce
passwordHash:x
guid:11ac64be-1d75-476c-96f6-ab8753ba5cb4
requireMfa:false
zoneEnabled:false
memberOf:r#########n.net/Users/Domain Users,r##########n.net/Users/engineering
<s>jjjjjjjjjjjj</s>
<b>kk</b>
<s>dd</s>
<i>hh</i>
<i>kk</i>
<b>ll</b>
<s>kk</s>
<i>kk</i>
<i>ddd</i>
Too many hours trying to make this work. I am willing to learn, it can't be this hard.
I completed the install, and it appears to be connected to the DC
sudo adinfo -T
Domain Diagnostics:
Domain: r##########n.net
DNS query for: _ldap._tcp.r##########n.net
DNS query for: _gc._tcp.r##########n.net
Testing Active Directory connectivity:
Global Catalog: nas2.r##########n.net
gc: 3268/tcp - good
Domain Controller: nas2.r##########n.net
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
sudo adinfo
Local host name: master
Joined to domain: r##########n.net
Joined as: master.r##########n.net
Pre-win2K name: master
Current DC: nas2.r##########n.net
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Last password set: 2017-06-13 10:28:16 CDT
CentrifyDC mode: connected
Licensed Features: Disabled
sudo adinfo -A -u bruce
Active Directory password:
Password for user "bruce" is correct
From /var/log/auth.log
Jun 13 13:06:04 master sudo: radmin : TTY=pts/0 ; PWD=/etc/centrifydc/ssh ; USER=root ; COMMAND=/usr/bin/adinfo -A -u bruce
Jun 13 13:06:04 master sudo: pam_unix(sudo:session): session opened for user root by radmin(uid=0)
Jun 13 13:06:11 master adinfo[5786]: INFO base.nocachemode Disabling the agent directory cache
Jun 13 13:06:11 master adinfo[5786]: INFO AUDIT_TRAIL|Centrify Suite|Trusted Path|1.0|2700|Trusted path granted|5|user=bruce pid=5786 utc=1497377171991 centrifyEventID=23700 DASessID=N/A DAInst=N/A status=GRANTED server=ldap/nas2.r##########n.net@R##########N.NET
However whenever I try to SSH in, I can not get authentication to pass.
ssh 192.168.240.31
Ubuntu 16.04.1 LTS master ssh-pty
Password:
Password:
Password:
bruce@192.168.240.31's password:
Permission denied, please try again.
bruce@192.168.240.31's password:
FROM /var/log/auth.log
Jun 13 13:07:57 master sshd[5854]: Invalid user bruce from 192.168.20.105 port 53977
Jun 13 13:07:57 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(unknown user) pid=5854 utc=1497377277878 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=(unknown service) tty=(no tty) authMechanism=unknown client=192.168.20.105 reason=INVALID_USER(invalid/invalidated user.)
Jun 13 13:07:57 master sshd[5854]: input_userauth_request: invalid user bruce [preauth]
Jun 13 13:07:57 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377277880 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=(unknown service) tty=(no tty) authMechanism=unknown client=192.168.20.105 reason=INVALID_USER(invalid/invalidated user.)
Jun 13 13:07:57 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:07:57 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:07:57 master sshd[5854]: Postponed keyboard-interactive for invalid user bruce from 192.168.20.105 port 53977 ssh2 [preauth]
Jun 13 13:08:08 master sshd[5856]: pam_unix(sshd:auth): check pass; user unknown
Jun 13 13:08:08 master sshd[5856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.105
Jun 13 13:08:10 master sshd[5854]: error: PAM: Authentication failure for illegal user bruce from 192.168.20.105
Jun 13 13:08:10 master sshd[5854]: Failed keyboard-interactive/pam for invalid user bruce from 192.168.20.105 port 53977 ssh2
Jun 13 13:08:10 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377290814 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=ssh-connection tty=(no tty) authMechanism=keyboard-interactive client=192.168.20.105 reason=AUTH_FAIL_KBDINT(failed in keyboard interactive authentication.)
Jun 13 13:08:10 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:10 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:10 master sshd[5854]: Postponed keyboard-interactive for invalid user bruce from 192.168.20.105 port 53977 ssh2 [preauth]
Jun 13 13:08:17 master sshd[5860]: pam_unix(sshd:auth): check pass; user unknown
Jun 13 13:08:17 master sshd[5860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.105
Jun 13 13:08:20 master sshd[5854]: error: PAM: Authentication failure for illegal user bruce from 192.168.20.105
Jun 13 13:08:20 master sshd[5854]: Failed keyboard-interactive/pam for invalid user bruce from 192.168.20.105 port 53977 ssh2
Jun 13 13:08:20 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377300066 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=ssh-connection tty=(no tty) authMechanism=keyboard-interactive client=192.168.20.105 reason=AUTH_FAIL_KBDINT(failed in keyboard interactive authentication.)
Jun 13 13:08:20 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:20 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:20 master sshd[5854]: Postponed keyboard-interactive for invalid user bruce from 192.168.20.105 port 53977 ssh2 [preauth]
Jun 13 13:08:27 master sshd[5861]: pam_unix(sshd:auth): check pass; user unknown
Jun 13 13:08:27 master sshd[5861]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.105
Jun 13 13:08:28 master sshd[5854]: error: PAM: Authentication failure for illegal user bruce from 192.168.20.105
Jun 13 13:08:28 master sshd[5854]: Failed keyboard-interactive/pam for invalid user bruce from 192.168.20.105 port 53977 ssh2
Jun 13 13:08:28 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377308728 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=ssh-connection tty=(no tty) authMechanism=keyboard-interactive client=192.168.20.105 reason=AUTH_FAIL_KBDINT(failed in keyboard interactive authentication.)
Jun 13 13:08:38 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:38 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:38 master sshd[5854]: pam_unix(sshd:auth): check pass; user unknown
Jun 13 13:08:38 master sshd[5854]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.105
Jun 13 13:08:39 master sshd[5854]: Failed password for invalid user bruce from 192.168.20.105 port 53977 ssh2
Jun 13 13:08:39 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377319914 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=ssh-connection tty=(no tty) authMechanism=password client=192.168.20.105 reason=AUTH_FAIL_PASSWD(invalid user or password.)
Jun 13 13:08:41 master sshd[5854]: Connection closed by 192.168.20.105 port 53977 [preauth]
Jun 13 13:09:01 master CRON[5887]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 13 13:09:01 master CRON[5887]: pam_unix(cron:session): session closed for user root
I was hoping to see some resolution of this problem, because I am running into the exact same issue trying to deploy the Mac agent to a local Mac. The Mac is sanely named.
The software is actually already present on this Mac, but the "No Centrify Suite is available on the selected platform" error message makes me believe that this is not the problem. (I've been using the target Mac to experiment with; it's currently not joined to the AD domain.)
I am, however, currently stuck at Mr. Robertson's step 5. Guidance would be much appreciated.
What version of Mac are you using? And what version of Centrify Server Suite?
Centrify Support is happy to assist.
Please work with the appropriate contacts in your company to either get access to Support or work with them to open a case with Support.
The error message being disaplyed is due to DirectAudit installed and the user not having a real shell defined. DirectAudit is recording user's activity on the system.
Have you tried instead of replacing the shell, adding your container logic to the logon profile instead? This should be a bit cleaner for you vs. replacing the user's shell.
Regards,
I am having the same issue. Other users within the domain are allowed. Just not the user named "Administrator". Strange.
The error I receive with fdesetup when trying to add any mobile account user is:
Error: Unable to add user 'USERNAME' to existing FileVault because the user could not be authenticated.
(USERNAME can be replaced with any zoned AD GUID)
Current Environment:
Welcome to the Centrify forum.
Would you be kind enoutgh to post a new thread?
Since this original thread we have released two new versions.
Please post the operating system version and version of Centrify.
Note that if you're a commercial customer, you can always leverage support. Express support is a best-effort, volunteer basis.
R.P
Hello
It appears you are binding the Mac in a Zoned mode, rather than in Autozone? If so, you will want to make sure the User is able to log in to the Mac in Access Manager first.
Also, I noticed that you mention PIV...is this User a Smartcard enforced User? At this time, OSX does not support Filevault2 unlock using Smartcards. More info here. You will need to use a User that has a username and password, in order to unlock the system. This can be either a local User or network user (assuming you have added them to allow login on this Mac.)
I hope this helps! If not, can you provide a few more details about your org?
Have a great day!!
Ryan V