Comment 11 for bug 567473

I can confirm this issue on both server and desktop. After upgrading from 9.04 to 9.10 to 10.04, I was unable to login using domain credentials via SSH. SFTP worked fine.

The issue was resolved, at least for me, by fixing a problem in /etc/security/group.conf. I was using group.conf to add system groups to domain users and, during the upgrade, some of the system groups went away. After removing the groups that were no longer present on the system (in my case vboxusers) SSH logins were possible using domain users.

My authlog looked something like this:

pam_krb5(sshd:auth): user user authenticated as user@DOMAIN
Accepted keyboard-interactive/pam for user from 123.123.123.123 port 41388 ssh2
pam_group(sshd:setcred): bad group: vboxusers
pam_unix(sshd:session): session opened for user user by (uid=0)
pam_group(sshd:setcred): bad group: vboxusers
fatal: login_get_lastlog: Cannot find account for uid 123456789
pam_unix(sshd:session): session closed for user user
syslogin_perform_logout: logout() returned an error

After fixing the group problem:

pam_krb5(sshd:auth): user user authenticated as user@DOMAIN
Accepted keyboard-interactive/pam for user from 123.123.123.123 port 55842 ssh2
pam_unix(sshd:session): session opened for user user by (uid=0)

In theory, this should fail much more gracefully than just preventing domain logins.

I hope this helps...