IBM Support

IBM AIX: SSH connection failure for userIDs with local and LDAP accounts

Question & Answer


Question

Why remote hosts close SSH connection for some userids?

Answer

For a userID with both local and LDAP accounts not only the UID/GID but also the local and LDAP group names must also match. Otherwise, SSH will fail due to security.  SSH wants the local user and LDAP users to be identical. Having consistent UID and GID numbers across multiple AIX servers is considered best practice.

Example:
UserID local and LDAP account definitions showing differences in primary (pgrp) and secondary group membership.
User local account:
#‌ lsuser testUser
testUser id=12345 pgrp=system groups=system,staff .......
User LDAP server account:
‌# lsuser testUser
testUser id=12345 pgrp=staff groups=system,staff,accounting  …………
Check UID and GID for the userID in the /etc/passwd file
testUser:!:12345:125::/home/testUser:
or output of "id" command:
# id testUser
uid=12345(testUser) gid=126(staff) groups=202854(accounting) .......
Verify "testUser" LDAP account attributes:
# lsldap -a passwd <User ID name  ex:testUser>
Check user's primary group attributes on the LDAP server for the local and LDAP accounts:
# lsldap -a group <primary group name for local/LDAP user account ex:staff>
Workaround:

Delete local account on the failing system to remove the conflict between local and LDAP accounts UID/GID and group names.

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your case will confirm that you have completed these steps.

a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation.

c.  Contact IBM to open a case:

   -For electronic support, please visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, please visit the web page:
      https://www.ibm.com/planetwide/

d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your case

   -You can attach files to your case in the IBM Support Community
   -Or Upload data to IBM testcase server analysis:

    http://www.ibm.com/support/docview.wss?uid=ibm10733581

f.  Click here to submit feedback for this document.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
26 November 2019

UID

ibm11110057

Page Feedback