I can confirm this issue on both server and desktop. After upgrading from 9.04 to 9.10 to 10.04, I was unable to login using domain credentials via SSH. SFTP worked fine.
The issue was resolved, at least for me, by fixing a problem in /etc/security/group.conf. I was using group.conf to add system groups to domain users and, during the upgrade, some of the system groups went away. After removing the groups that were no longer present on the system (in my case vboxusers) SSH logins were possible using domain users.
My authlog looked something like this:
pam_krb5(sshd:auth): user user authenticated as user@DOMAIN
Accepted keyboard-interactive/pam for user from 123.123.123.123 port 41388 ssh2
pam_group(sshd:setcred): bad group: vboxusers
pam_unix(sshd:session): session opened for user user by (uid=0)
pam_group(sshd:setcred): bad group: vboxusers
fatal: login_get_lastlog: Cannot find account for uid 123456789
pam_unix(sshd:session): session closed for user user
syslogin_perform_logout: logout() returned an error
After fixing the group problem:
pam_krb5(sshd:auth): user user authenticated as user@DOMAIN
Accepted keyboard-interactive/pam for user from 123.123.123.123 port 55842 ssh2
pam_unix(sshd:session): session opened for user user by (uid=0)
In theory, this should fail much more gracefully than just preventing domain logins.
I can confirm this issue on both server and desktop. After upgrading from 9.04 to 9.10 to 10.04, I was unable to login using domain credentials via SSH. SFTP worked fine.
The issue was resolved, at least for me, by fixing a problem in /etc/security/ group.conf. I was using group.conf to add system groups to domain users and, during the upgrade, some of the system groups went away. After removing the groups that were no longer present on the system (in my case vboxusers) SSH logins were possible using domain users.
My authlog looked something like this:
pam_krb5( sshd:auth) : user user authenticated as user@DOMAIN interactive/ pam for user from 123.123.123.123 port 41388 ssh2 sshd:setcred) : bad group: vboxusers sshd:session) : session opened for user user by (uid=0) sshd:setcred) : bad group: vboxusers sshd:session) : session closed for user user perform_ logout: logout() returned an error
Accepted keyboard-
pam_group(
pam_unix(
pam_group(
fatal: login_get_lastlog: Cannot find account for uid 123456789
pam_unix(
syslogin_
After fixing the group problem:
pam_krb5( sshd:auth) : user user authenticated as user@DOMAIN interactive/ pam for user from 123.123.123.123 port 55842 ssh2 sshd:session) : session opened for user user by (uid=0)
Accepted keyboard-
pam_unix(
In theory, this should fail much more gracefully than just preventing domain logins.
I hope this helps...