Welcome to the Centrify Express forums.
Please always make sure that you provide the version of Centrify. The current community version is 5.3.x.
The problem you're having here is this
Aug 12 10:57:45 LN-MCL-VM-000-02 adclient[2242]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|101|
PAM authentication denied|5|user=sheetst(type:ad,sheetst@MTIPS.XXX.LOCAL)
pid=11465 utc=1471013865358 centrifyEventID=24101
status=DENIEDservice=sshdtty=ssh client=ln-mcl-vm-000-01.mtips.xxx.local reason=Authentication failure
The upper layer application (SSH Server) is denying access to the user. Check to see if you are using any SSH directives that may be impairing the user from logging in.
The easiest way to verify that all is fine is by switching to the user (not as root please).
su - ad.user should prompt you for a password, and if you're able to switch succesfully, this means that you've confirmed that SSH is the culprit.
Some other tips:
Verify that the user's account exists in AD, it is in the right format and that it's not locked or expired:
- Log in to your system and open a terminal
- Run the adquery user command and grep for the user in question. E.g. homer simpson
$ adquery user | grep homer homer.simpson:x:1040191003:1040191003:Homer Simpson:/home/homer.simpson:/usr/bin/dzsh
This demonstrates that the user is valid in the system. - Run the adquery user -A command to verify the user's status
$ dzdo adquery user -A homer.simpson [truncated]accountExpires:Never passwordExpires:Mon Sep 5 09:55:43 2016 passwordWillExpire:28 nextPasswordChange:Wed Jun 8 09:55:43 2016 lastPasswordChange:Tue Jun 7 09:55:43 2016accountLocked:false accountDisabled:false requireMfa:false zoneEnabled:true
Looking at this output you can rule out issues with the account like expiration, lock out, or if it's disabled.
Rule out issues with the user's password
Have your user log in (with any credential) and open a terminal.
To verify that the user is typing the correct password (the AD password), have him run this command
$ adinfo --user [user] -A
If the user types the correct password, the output of the command is:
$ adinfo --user bart.simpson -A Active Directory password: Password for user "bart.simpson" is correct
If the password is incorrect, the output will be: Unable to connect to server
R.P