AD Account Cannot SSH Through PAM
search cancel

AD Account Cannot SSH Through PAM

book

Article ID: 267626

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

A Linux server has been configured to allow Active Directory users to SSH into it. The account is configured in PAM as an AD account and can verify successfully, but the SSH session in PAM sits for a few seconds before closing and the account becomes locked in Active Directory.

Environment

Privileged Access Manager, all versions

Cause

When /var/log/secure was viewed on the server, the following errors were observed at the time the SSH session was attempted.

2023-06-08T10:51:30 linuxhost sshd[pid]: User pamaduser from pamhost.domain.com not allower because none of the user's groups are listed in AllowGroups
2023-06-08T10:51:30 linuxhost sshd[pid]: input_userauth_request: invalid user pamaduser
2023-06-08T10:51:30 linuxhost sshd[pid]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pamhost.domain.com user=pamaduser
2023-06-08T10:51:30 linuxhost sshd[pid]: pam_krb5[pid]: authentication fails for 'pamaduser' ([email protected]): User not known to the underlying authentication module (Clients credentials have been revoked)

Resolution

The AllowGroups value is configured in /etc/ssh/sshd_config and any group not listed will be blocked from logging into the server through SSH. Please configure sshd_config to add the AD user's group(s) to the AllowGroups list.