Re: Centrify Crash Dumps

,

Thank you for the comments - they've been very helpful! I realize we made a rookie mistake with the updates, and we got started with the adbindproxy documentation last night. We believe we're very close to resolving this, even with all of the junk that happened in between.

In the Centrify log, with debug on (as you suggested), here's what we see when a domain user logs in:

Nov 08 13:41:33 sshd[32443] DEBUG: -> getpwuid_centrifydc_r  UID=0
Nov 08 13:41:33 sshd[32443] DEBUG: getpwuid: UID 0 is in 'nss.uid.ignore' list
Nov 08 13:41:33 sshd[32443] DEBUG: <- getpwuid_centrifydc_r, result=NSS_NOTFOUND(0)
Nov 08 13:41:33 sshd[32443] DEBUG: -> getgrnam_centrifydc_r  group="tty"
Nov 08 13:41:33 sshd[32443] DEBUG: getgrnam: Group 'tty' is in 'nss.group.ignore' list
Nov 08 13:41:33 sshd[32443] DEBUG: <- getgrnam_centrifydc_r, result=NSS_NOTFOUND(0)
Nov 08 13:41:33 sshd[32443] DEBUG: -> getgrnam_centrifydc_r  group="tty"
Nov 08 13:41:33 sshd[32443] DEBUG: getgrnam: Group 'tty' is in 'nss.group.ignore' list
Nov 08 13:41:33 sshd[32443] DEBUG: <- getgrnam_centrifydc_r, result=NSS_NOTFOUND(0)
Nov 08 13:41:33 sshd[32443] DEBUG: -> getpwuid_centrifydc_r  UID=0
Nov 08 13:41:33 sshd[32443] DEBUG: getpwuid: UID 0 is in 'nss.uid.ignore' list
Nov 08 13:41:33 sshd[32443] DEBUG: <- getpwuid_centrifydc_r, result=NSS_NOTFOUND(0)
Nov 08 13:41:33 sshd[32443] DEBUG: -> pam_sm_setcred
Nov 08 13:41:33 sshd[32443] DEBUG: PAM Options: (none)
Nov 08 13:41:33 sshd[32443] DEBUG: PAM Flags: (none)
Nov 08 13:41:33 sshd[32443] DEBUG: Flag PAM_ESTABLISH_CRED or PAM_REINITIALIZE_CRED or PAM_REFRESH_CRED is not given, ignored!
Nov 08 13:41:33 sshd[32443] DEBUG: <- pam_sm_setcred, result=PAM_IGNORE(25)
Nov 08 13:41:33 sshd[32443] DEBUG: -> pam_sm_setcred
Nov 08 13:41:33 sshd[32443] DEBUG: PAM Options: deny
Nov 08 13:41:33 sshd[32443] DEBUG: PAM Flags: (none)
Nov 08 13:41:33 sshd[32443] DEBUG: Flag PAM_ESTABLISH_CRED or PAM_REINITIALIZE_CRED or PAM_REFRESH_CRED is not given, ignored!
Nov 08 13:41:33 sshd[32443] DEBUG: <- pam_sm_setcred, result=PAM_IGNORE(25)

We've been seeing a lot of errors in Samba regarding UIDs not being found, so I believe you're right about the UID/GID conflict (potentially). Here's the log we see in Samba when trying to connect (there's a lot more data here, but this is what I've found to be relevant):

[2017/11/08 13:44:54.814265,  1] ../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-3931225680-1871015619-2963001510-1368939 -> getpwuid(1001) failed
[2017/11/08 13:44:54.814304,  3] ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2017/11/08 13:44:54.814337,  1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
  Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
[2017/11/08 13:44:54.815371,  3] ../source3/smbd/server_exit.c:249(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

Any ideas on what to look at to get CDC working first?