-
Title
How to troubleshoot user cannot login ? Authentication fails. Unable to login. -
Description
This article is to provide commands to help diagnose problems with AD authentication on the QAS client.
User is unable to login.
Authentication fails for users.
User or users cannot login or logon
Won't allow login.
KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed -
Resolution
1 - Can you list the user ?
/opt/quest/bin/vastool list user
If you can not list the account, it maybe missing the User Principal Name (UPN) or a Unix attribute.
UPN must be filled out go to Active Directory Users and computer, go to the properties of the User’s account, go to Account tab and make sure the User logon name is filled in.
2 - Is the user recognized as a QAS user?
If all the unix properties and upn are filled out the below command will return user is a QAS user.
/opt/quest/bin/vastool isvas user
If QAS returns saying it is both a system account and a QAS user. Then the local account will only be asked for. If you are not using a mapped users file then you should delete the local user and use OAT to migrate file permissions to the AD account.
If it fails and says is not a QAS user, or a system account., then check the following AD attributes are filled out:
/opt/quest/bin/vastool -u host/ attrs userPrincipalName
/opt/quest/bin/vastool -u host/ attrs uidNumber
/opt/quest/bin/vastool -u host/ attrs gidNumber
/opt/quest/bin/vastool -u host/ attrs unixHomeDirectory
/opt/quest/bin/vastool -u host/ attrs loginShell
Please note if -u host/ does not work use -u .
3 - Is the account in an access control group?
/opt/quest/bin/vastool user checkaccess Does it report allowed?
Does it report WARNING: NSS lookup (getgrgid) for this user's primary group ID failed? If yes on AIX login will fail until the user has a resolvable primary GID to a name.
If yes list the group /opt/quest/bin/vastool list group . Did it show the user a member of the group?
4 - Does the second field from the nss command show VAS?
/opt/quest/bin/vastool nss getpwnam
If not there is probably a conflict with a local account. grep /etc/passwd and grep /etc/passwd
5 - Are you able to authenticate to QAS with the auth command?
/opt/quest/bin/vastool -u auth
If the auth command succeeds to troubleshoot the issue further narrow down what method of authentication is failing sshd, su, telnet, ftp, other.
If it is just sshd method that is failing, then please read Knowledge Article 25951
Does the following succeed or fail ? /opt/quest/bin/vastool user checklogin -s ssh
If the auth command fails, then search for the error in our knowledge base. Also continue on to step 6.
6- Is QAS in a healthy state?
/opt/quest/bin/vastool status
All messages are of the form:
{FAILURE|CRITICAL|WARNING|INFO}:Look for critical and failure messages as these messages are the ones that could stop authentication
Search our Knowledge Base on the Support Portal for the message you receive for more information on it.
7 - Please review the syslog data (usually in /var/log for linux) for the username to find the error messages. To find out the file name where it is logging, examine the /etc/syslog.conf file for an auth (authpriv on Linux ) entry.
-
Additional Information
If you need assistance resolving the authentication issue, open up a service request with support by going to https://support.quest.com and include the above command output, and the results of a /opt/quest/libexec/vas/scripts/vas_snapshot.sh script in the attachments