I have a server that I performed an upgrade on that is now no longer allowing SSH access.
I've been troubleshooting for a week but I can't find an answer.
This is my first post and I'm hoping you guys can help me with a "miracle"

I am only able to access the device from a VMWare console and I'm only able to log in as root...so I can't copy paste configs...it will be all "hand jamming".

This is a production server and logs are being written to it so I need to minimize downtime.

The server does not stay attached to the domain after rebooting, I have to manually add it.

Getent returns passwd and groups (but groups does not list my individual user on this box...another Linux box does show me in those groups...)

Well, if your problems started after upgrade, good start would be to find what was upgraded. As for can not copy paste, can you send them over net/mail to your comp and copy paste them from there?

I've upgraded the entire distro...plus a bunch of packages.

I've also found some additional information..
in the auth log:
lsass-pam moduleam_lsass User X is denied access because they are not in the 'require membership of' list

Was that pam module upgraded, or is it build outside of distribution? And how about checking your config files in /etc/pam.d/ to find where it is used and what are settings?

if you have ssh problem you may try to run sshd using -vvv and also connect using ssh -vvv.
That will give you some information about the authentication.

1 members found this post helpful.

The PAM module was upgraded and is now running pbis 8.0.0.216
(The fix for the bug in that version was added to the config)

settings for pam.d match our existing and non-problematic sister server.

Here's another clue:
[lsass-pam] Failed to authenticate user (bla bla) error 4022, symbol = LW_ERROR_PASSWORD_MISMATCH"
then the prior message about not being in the 'require membership of' list.

Thanks, I've been using -v or -vv. The results of doing an ssh -vv user@domain only give me that a password packet is sent and the return is a permission denied.

Ok, for a quick fix, if you need ssh connection perhaps you can comment in those setting where lsass-pam is used ( to add # in front of those lines where you have pam_lsass). I'm not familiar with pbis so can't offer much help there. Is it on your sister server pbis also upgraded with that fix? Was your sister server also upgraded to 16.04?

Sister server wasn't upgraded...haven't touched it yet.

I was hunting around and found these neat commands:

# /opt/pbis/bin/config --list

# /opt/pbis/bin/config --details RequireMembershipOf
This one let me know that the value of the RequireMembershipOf is "<domain>\\Domainusers"

here's the long version:
Name: RequireMembershipOf
Description: restrict logon access to coputer to specific users or group members, or SIDs
Type: multistring
Current Values:
"<Domain>\\DomainUsers'
Current Value is determined by local policy

So my next step is to try something like the following: (????)
# /opt/pbis/bin/config RequireMembershipOf "domain.local\\account1" "domain.local\\user2"

Interestingly, as I'm researching it I see that
# getent group

returns all local groups and domain groups with my domain in front. i.e.
<DOMAIN>\domain^users:x:135791704:

I'm wondering...since the ^ indicates a <space> and the RequiredMembershipOf doesn't appear to have a space...perhaps that's the delta?

If that's the case, then I think my command would be:
# /opt/pbis/bin/config RequireMembershipOf "<DOMAIN>\\account1" "<DOMAIN>\\user2"

...where account or user would be my UNAME?

looks like the ^ (reflecting a space) was the problem. I adjusted the setting with
# /opt/pbis/bin/config RequireMembershipOf "<DOMAIN>\\domain^admins"

and I was able to log into the box via SSH.

Thanks for the sounding board guys.

1 members found this post helpful.

great!
If you think your problem is solved please mark the thread solved.
If you want to say thanks just click on yes.

1 members found this post helpful.