Skip to content

Domain user authentication fails with Connection Reset by Peer #1363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
oulman opened this issue Apr 8, 2019 · 11 comments
Closed

Domain user authentication fails with Connection Reset by Peer #1363

oulman opened this issue Apr 8, 2019 · 11 comments

Comments

@oulman
Copy link

oulman commented Apr 8, 2019

Please answer the following

"OpenSSH for Windows" version
7.7.2.1

Server OperatingSystem
Windows Server 2019 Datacenter

Client OperatingSystem
Windows Server 2019 Datacenter, Ubuntu 18.04

What is failing

When trying to authenticate using a domain account the remote server drops the connection with a 'Connection reset by peer' error.

When using a local account I am able to login successfully.

I've changed the user and hostnames in the log but have other details attached to a Premier support case: 119030426002038​.

Expected output

Successful authentication for domain accounts.

Actual output

The server returns a 'Connection reset by peer' error.

When I look in Event Viewer > Applications and Services logs > OpenSSH > Admin I see two events.

  1. Level = Critical, Source = OpenSSH, EventId = 1, Text = "sshd: fatal: ga_init, unable to resolve user contoso\domainuser"
  2. Level = Error, Source = OpenSSH, EventId = 2, Text = "sshd: error: get_user_token - unable to generate token on 2nd attempt for user contoso\domainuser"

I'm attaching the output of ssh -v from a client.
ssh-dash-v.txt

Thank you.
@oulman
Copy link
Author

oulman commented Apr 8, 2019

I found the issue. Due to regulatory requirements, we restrict general domain access to view group membership. I tracked down the event IDs to the following ga_init() which returns this error when it can't enumerate group membership. Adding the permissions to the computer object in our AD resolved the problem.

It would be great if the error message was more descriptive that its having trouble resolving groups, not just some generate 'user' error.

https://github.com/PowerShell/openssh-portable/blob/afe4880c3781dfe12ad3a51a57eecfbee8161c8a/contrib/win32/win32compat/win32_groupaccess.c#L214

@oulman oulman closed this as completed Apr 8, 2019
@stefanisti
Copy link

stefanisti commented Nov 4, 2019
edited
Loading

I found the issue. Due to regulatory requirements, we restrict general domain access to view group membership. I tracked down the event IDs to the following ga_init() which returns this error when it can't enumerate group membership. Adding the permissions to the computer object in our AD resolved the problem.

It would be great if the error message was more descriptive that its having trouble resolving groups, not just some generate 'user' error.

https://github.com/PowerShell/openssh-portable/blob/afe4880c3781dfe12ad3a51a57eecfbee8161c8a/contrib/win32/win32compat/win32_groupaccess.c#L214

Thanks for this reply! It helped me solve the same issue (sshd: fatal: ga_init, unable to resolve user org\username where my client said "Connection reset by port 22"). After allowing a non-starting Windows 10 system to reinstall Windows and lose all my settings my user still had domain credential permission cached so I could log in as my domain user to Windows. I had put standard DNS servers (8.8.8.8, 4.2.2.4) in when I set my static IP instead of putting in my organization's domain controller IPs. Because of that even though my Windows domain login worked, the ssh login wouldn't. All I had to do was set my network settings so that the 2 DNS servers were correct for my organization's domain controllers and bingo, ssh login works. I wouldn't have figured that out without this post.

@adotka
Copy link

adotka commented Jan 22, 2020

@oulman

Adding the permissions to the computer object in our AD resolved the problem.

Hi James,
I am stuck with the same problem (ssh connections being reset, "ga_init, unable to resolve user" in event log) and do not quite understand your solution.

Can you suggest how exactly do I add said permissions?

Many thanks in advance!

@oulman
Copy link
Author

oulman commented Jan 23, 2020

@oulman

Adding the permissions to the computer object in our AD resolved the problem.

Hi James,
I am stuck with the same problem (ssh connections being reset, "ga_init, unable to resolve user" in event log) and do not quite understand your solution.

Can you suggest how exactly do I add said permissions?

Many thanks in advance!

We have a group that grants 'read all properties' on objects in OUs with our users/groups. For systems that need SSHd we put the computer objects in this group (dont forget to reboot to pick up the new group membership).

If you don't have any restrictive permissions in your domain, verify that you're able to talk to AD and authenticate (nltest, klist, etc.) - you could have a problem like @stefanisti found.

@adotka
Copy link

adotka commented Jan 25, 2020

Thank you, James! You helped me a lot to move further, although my case seem to be different. Checking effective access shows that the computer account has right to "Read all properties" on OU, where all users and groups reside, and AD indeed can be contacted from the computer. It seems that the problem is caused by Samba4 that run my domain. It is built with default Heimdal Kerberos implementation, which does not support S4U and I am seeing "sshd: debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'simpsons\anton' Status: 0xC000009A SubStatus 0." errors in Debug log.

We have a group that grants 'read all properties' on objects in OUs with our users/groups. For systems that need SSHd we put the computer objects in this group (dont forget to reboot to pick up the new group membership).

If you don't have any restrictive permissions in your domain, verify that you're able to talk to AD and authenticate (nltest, klist, etc.) - you could have a problem like @stefanisti found.

@xf6jx5fq
Copy link

xf6jx5fq commented Mar 7, 2020

@oulman
I have the same issue as you had. But the difference is I don't have access to AD to add the required permission : is there a way to just connect to my laptop using ssh and my AD login without having to modify and add that permission ?

@shawnz
Copy link

shawnz commented Jul 28, 2020

Same here, I am not able to change the problematic settings in AD. Is there any other workaround?

@I1eoThe0ne
Copy link

@oulman Thanks for providing a solution hint.
It seems we have the same issue (same messages in the log)

What is your solution - it seems you changed part of the OpenSSH-Server - since this pice of code is within the project.
On the other hand in the code I see searching for AD-Groups.

Can you clarify a bit more - for people who don't have a strong Active-Directory-Administration background?
Would be appreciated a lot ;)

@oulman
Copy link
Author

oulman commented Jul 1, 2021

@I1eoThe0ne check my response above. In our environment we effectively granted the computer object 'read all properties' on the users logging in with ssh. Others in the thread have indicated other issues talking to AD will generate similar errors.

@oulman

Adding the permissions to the computer object in our AD resolved the problem.

Hi James,
I am stuck with the same problem (ssh connections being reset, "ga_init, unable to resolve user" in event log) and do not quite understand your solution.
Can you suggest how exactly do I add said permissions?
Many thanks in advance!

We have a group that grants 'read all properties' on objects in OUs with our users/groups. For systems that need SSHd we put the computer objects in this group (dont forget to reboot to pick up the new group membership).

If you don't have any restrictive permissions in your domain, verify that you're able to talk to AD and authenticate (nltest, klist, etc.) - you could have a problem like @stefanisti found.

#1363 (comment)

@I1eoThe0ne
Copy link

@oulman thank you for pointing again how to solve the issue.

**For all who like / need a detailed step-by-step how-to here is what you do :

Open ActiveDirectory > User > Properties > Add > (OpenSSH)Server > Read (is already checked after adding)**

In case a picture helps you also visit https://serverfault.com/questions/1067665/unable-to-ssh-into-windows-domain-server-using-domain-user/

@aaagab aaagab mentioned this issue Jan 15, 2022
Open
@aefruswg aefruswg mentioned this issue Dec 13, 2022
Closed
@wbehrens-on-gh wbehrens-on-gh mentioned this issue May 31, 2023
Closed
3 tasks
@nedy13
Copy link

nedy13 commented Oct 19, 2023

If you are not a company admin which can administer the AD, then you have lost?!

In my case I want to login to my company's personal computer with SSH with my domain user. You need the rights to read my user account in the AD? Who has the rights....me. So I used my user as service account for the "OpenSSH Server" service, but then I had the issue that the service is not starting.

Solution: #1824 (comment)

After adding my domain user to these two security policies, you can start the OpenSSH Server service.

login from other machine with: ssh -l user@domain 123.456.789.123
works...

Short hint for all, which have the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@shawnz @I1eoThe0ne @nedy13 @adotka @oulman @stefanisti @xf6jx5fq