UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server that I performed an upgrade on that is now no longer allowing SSH access.
I've been troubleshooting for a week but I can't find an answer.
This is my first post and I'm hoping you guys can help me with a "miracle"
I am only able to access the device from a VMWare console and I'm only able to log in as root...so I can't copy paste configs...it will be all "hand jamming".
This is a production server and logs are being written to it so I need to minimize downtime.
The server does not stay attached to the domain after rebooting, I have to manually add it.
Getent returns passwd and groups (but groups does not list my individual user on this box...another Linux box does show me in those groups...)
Well, if your problems started after upgrade, good start would be to find what was upgraded. As for can not copy paste, can you send them over net/mail to your comp and copy paste them from there?
I've upgraded the entire distro...plus a bunch of packages.
I've also found some additional information..
in the auth log:
lsass-pam moduleam_lsass User X is denied access because they are not in the 'require membership of' list
Was that pam module upgraded, or is it build outside of distribution? And how about checking your config files in /etc/pam.d/ to find where it is used and what are settings?
if you have ssh problem you may try to run sshd using -vvv and also connect using ssh -vvv.
That will give you some information about the authentication.
The PAM module was upgraded and is now running pbis 8.0.0.216
(The fix for the bug in that version was added to the config)
settings for pam.d match our existing and non-problematic sister server.
Here's another clue:
[lsass-pam] Failed to authenticate user (bla bla) error 4022, symbol = LW_ERROR_PASSWORD_MISMATCH"
then the prior message about not being in the 'require membership of' list.
Thanks, I've been using -v or -vv. The results of doing an ssh -vv user@domain only give me that a password packet is sent and the return is a permission denied.
Ok, for a quick fix, if you need ssh connection perhaps you can comment in those setting where lsass-pam is used ( to add # in front of those lines where you have pam_lsass). I'm not familiar with pbis so can't offer much help there. Is it on your sister server pbis also upgraded with that fix? Was your sister server also upgraded to 16.04?
Sister server wasn't upgraded...haven't touched it yet.
I was hunting around and found these neat commands:
# /opt/pbis/bin/config --list
# /opt/pbis/bin/config --details RequireMembershipOf
This one let me know that the value of the RequireMembershipOf is "<domain>\\Domainusers"
here's the long version:
Name: RequireMembershipOf
Description: restrict logon access to coputer to specific users or group members, or SIDs
Type: multistring
Current Values:
"<Domain>\\DomainUsers'
Current Value is determined by local policy
So my next step is to try something like the following: (????)
# /opt/pbis/bin/config RequireMembershipOf "domain.local\\account1" "domain.local\\user2"
Interestingly, as I'm researching it I see that
# getent group
returns all local groups and domain groups with my domain in front. i.e.
<DOMAIN>\domain^users:x:135791704:
I'm wondering...since the ^ indicates a <space> and the RequiredMembershipOf doesn't appear to have a space...perhaps that's the delta?
If that's the case, then I think my command would be:
# /opt/pbis/bin/config RequireMembershipOf "<DOMAIN>\\account1" "<DOMAIN>\\user2"
looks like the ^ (reflecting a space) was the problem. I adjusted the setting with
# /opt/pbis/bin/config RequireMembershipOf "<DOMAIN>\\domain^admins"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.