Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > Secure Shell

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-29-2009, 12:58 PM
jimbobmcgee jimbobmcgee is offline
Registered User
 
Join Date: Apr 2005
Posts: 21
Question VShell resolving COMPUTER\Administrator instead of DOMAIN\Administrator

I am using VShell v3.5.0 x64 (build 351) and have configured the necessary access control to allow Domain Admins to access the server via SFTP.

However, I am currently unable to authenticate any domain user that has the same name as a local user, because VShell tries to match to the local user. Since the local users are not included in the access control, I am unable to log in with the valid domain 'Administrator' credentials.

Is there a way to force VShell to resolve the domain usernames over the local ones?

Code:
19:35:53,conn,00003: Connection accepted from 192.168.100.164:62156
19:35:54,auth,00003: Client specified username Administrator, resolved as TEST-SRV01\Administrator
19:35:54,auth,00003: none for user TEST-SRV01\Administrator rejected because it is unavailable
19:35:55,auth,00003: Received unsigned public key; checking authorization (fingerprint: ...)
19:35:55,auth,00003: Searching 'E:\SFTP\Home Folders\Administrator\PublicKey' for matching public key
19:35:55,auth,00003: 'id_dsa.pub' contains matching public key for user TEST-SRV01\Administrator
19:35:56,auth,00003: Received signed public key; attempting authentication (fingerprint: ...)
19:35:56,auth,00003: Searching 'E:\SFTP\Home Folders\Administrator\PublicKey' for matching public key
19:35:56,auth,00003: 'id_dsa.pub' contains matching public key for user TEST-SRV01\Administrator
19:35:58,auth,00003: Couldn't use kerberos protocol transition for TEST-SRV01\Administrator: UPN (user@dns.domain) not available 
19:35:58,auth,00003: Login access denied for user TEST-SRV01\Administrator
19:35:58,conn,00003: The transport was aborted with a disconnect packet: Disconnected by application. No supported authentication methods available 
...
19:38:54,conn,00006: Connection accepted from 192.168.100.164:64640
19:38:54,auth,00006: Client specified username testuser01, resolved as TEST-DOMAIN\testuser01
19:38:54,auth,00006: none for user TEST-DOMAIN\testuser01 rejected because it is unavailable
19:38:56,auth,00006: Received unsigned public key; checking authorization (fingerprint: ...)
19:38:56,auth,00006: Searching 'E:\SFTP\Home Folders\testuser01\PublicKey' for matching public key
19:38:56,auth,00006: 'id_dsa.pub' contains matching public key for user TEST-DOMAIN\testuser01
19:38:57,auth,00006: Received signed public key; attempting authentication (fingerprint: 52:97:ef:c8:cd:5e:3d:bd:8b:60:94:c8:80:06:23:13)
19:38:57,auth,00006: Searching 'E:\SFTP\Home Folders\testuser01\PublicKey' for matching public key
19:38:57,auth,00006: 'id_dsa.pub' contains matching public key for user TEST-DOMAIN\testuser01
19:38:57,auth,00006: Using kerberos protocol transition to obtain a token for TEST-DOMAIN\testuser01
19:38:57,auth,00006: publickey for user TEST-DOMAIN\testuser01 accepted
19:38:57,conn,00006: Session channel open request accepted
19:38:57,conn,00006: Received request to start subsystem sftp (Built-in Subsystem)
19:38:57,sftp,00006: SFTP subsystem initialized; remote version is 5
19:38:57,sftp,00006: Sending VERSION packet to remote (5)
19:38:57,auth,00006: Using home directory 'E:\SFTP\Home Folders\testuser01\' for user TEST-DOMAIN\testuser01
Reply With Quote
  #2  
Old 09-29-2009, 02:56 PM
rtb rtb is offline
VanDyke Technical Support
 
Join Date: Aug 2008
Posts: 4,306
Hi jimbobmcgee,

It is not currently possible to force the order of precedence for authentication. It would be incumbent on the client to scope the username if they don't want to use a local account, or the server admin to ensure that duplicate local and domain accounts do not exist. Since there are scenarios where one would need both a local and domain account, the user should probably be the one to scope the account.

For example:
domain\user (if client is running within a UNIX shell, you'll likley need to use two "\" characters, e.g. domain\\user)
I have created a feature request on your behalf in our VShell development database to add the ability to specify the order of precedence where user accounts are concerned.

Should a future release of VShell have this capability, we will post to this forum thread. If you would like to be notified directly, please send an email to support@vandyke.com with a subject of Feature Request in Forum Thread #4052.
__________________
--Todd

VanDyke Software
Technical Support
support@vandyke.com
505-332-5730

Last edited by rtb; 09-30-2009 at 12:57 PM.
Reply With Quote
  #3  
Old 09-30-2009, 03:21 AM
jimbobmcgee jimbobmcgee is offline
Registered User
 
Join Date: Apr 2005
Posts: 21
Prefixing the account should be sufficient given the number of times I am expecting the Administrator account to be used -- everyone has named domain accounts in the production domain anyway, it's just in the test domain where this might be a problem.

Thanks.

J.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 03:53 PM.