I have a newly installed Ubuntu Xenaial 16.04 server running LXD with a fresh LXC container using the ubuntu:xenial image.
I used the centrify-suite-2016.1-deb7-x86_64.tgz download, unpacked and installed it joined to the domain with no reported errors. I have installed the Centrify SSHD. I can getent passwd and group with no problems.
The problem is when I SSH to the LXC container I get the login prompt, and on entering the username the SSH session disconnects with "Network error: Software caused connection abort". In the container auth.log I see a fatal error: initgroups: Invalid argument. The group causing the fatal error is the User Private Group.
Some system info:
root@osm:/etc/pam.d# uname -a
Linux osm 4.4.0-57-generic #78-Ubuntu SMP Fri Dec 9 23:50:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@osm:/etc/pam.d# cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
NAME="Ubuntu" VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
root@osm:/etc/pam.d# adinfo -v
adinfo (CentrifyDC 5.3.1-398)
root@osm:/etc/pam.d# adinfo -m
connected
root@osm:/etc/pam.d# adinfo --sysinfo zone
System Diagnostic
======== Zone Information ========
Auto zone
root@osm:/etc/pam.d# adquery user i87000
i87000:x:851444974:851444974:DTR:/home/i87000:/bin/bash
The auth.log output:
Jan 13 11:35:43 osm sshd[2118]: Authorized to i87000, krb5 principal I87000@MYDOMAIN.COM (krb5_kuserok)
Jan 13 11:35:43 osm sshd[2118]: Accepted gssapi-with-mic for i87000 from 192.168.0.10 port 61199 ssh2
Jan 13 11:35:43 osm adclient[383]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|300|PAM account management granted|5|user=i87000(type:ad,i87000@MYDOMAIN.COM) pid=2118 utc=1484307343515 centrifyEventID=24300 status=GRANTED service=sshd tty=ssh client=192.168.0.10
Jan 13 11:35:43 osm sshd[2118]: fatal: initgroups: i87000: Invalid argument
I notice that the primary gid for the user doesn't exist in getent group output.
root@osm:/etc/pam.d# getent passwd | grep i87000
i87000:x:851444974:851444974:DTR:/home/i87000:/bin/bash
root@osm:/etc/pam.d# getent group | grep 851444974
root@osm:/etc/pam.d#
Checking the groups output for the user shows the User Private Group, but it doesn't appear in the getent group output:
root@osm:/etc/pam.d# groups i87000
i87000 : i87000 all_employees all_users centrify_mobile_users desktop_administrators domain_admins domain_users
root@osm:/etc/pam.d# getent group | grep ^i87000
root@osm:/etc/pam.d#
This has always been the case for previous installs of Centrify Express on other containers, but this is the first install I have done using with the latest Centrify insaller using OpenSSH version 7
OpenSSH_7.2p2 (CentrifyDC build 5.3.1-391) , OpenSSL 1.0.2g 1 Mar 2016
Any ideas why sshd is giving the 'invalid argument' error?