Hi Sean! On Fri, 12 Feb 2010, Sean Carolan wrote: > > Is "invalid user" all you're seeing in the log? Generally, at least with > > OpenSSH, if the user is being denied because it's not in a valid group, > > the logs will say so. They'll also generally tell you if it's because it > > couldn't find the user at all (often with exactly what it did to try to > > find the user). > > Here's what I'm seeing: > > Feb 12 16:02:49 watcher sshd[953]: User scarolan from 10.2.3.102 not > allowed because none of user's groups are listed in AllowGroups > > I have UsePAM turned on, and getent group shows me in the "operations" > group. I wonder why sshd is not seeing that I'm in the operations > group? You don't also have the "operations" group defined in LDAP by any chance, do you? If you're going to start mixing local and LDAP stuff that way, you're going to run into some fun-to-debug strangeness if you're not careful about them all being identical. I'm guessing you've also defined the group in LDAP either with different members or a different GID, or that you've done the same with the user.
