javascript&colon;alert("helloxword is soo cool")<"';alert(String.fromCharCode(88,83,83

javascript&colon;alert("hellox worldss")<"';alert(String.fromCharCode(88,83,83

Dear Centrify experts,

Whole week we have issues with Centrify and O365:

• "Your password has expired" popup on multiple computers, even for fresh passwords,
• Outlook continues to prompt for credentials on desctop and mobile devices,

Every morning it takes a lot of time till people can start Outlook and reach their mails…

Are there known Centrify sync problems? How can I fix it?

I am trying to setup a script that requires the computername and Computer Trust password. On a mac that is joined to the domain using the normal Apple method I could use:

security find-generic-password -w -s "/Active Directory/DOMAIN" /Library/Keychains/System.keychain

That would then return the computer trust password for use with my script to send for authentication.

On a Centrify Joined machine there is no /Active Directory key in the keychain.

I found one machine that had the /CentrifyDC application password but the returned password when using that still give Access Denied so I don't think that is the right password. The /CentrifyDC item isn't showing on all my test macs anyway so that wouldn't be a consisten method even if it worked.

Is there a script string I can run that would return the correct Computer Account Trust Password when joined via Centrify? Thanks!

I have 5 node RH clluster & 1 AD. I used centrify express to integrate with AD.

HW distribution.

enabled kerberos and stored all SPN's on AD by creating a seperate OU. 

when i try with UPN it just works fine:

[rvchinta@mas1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh
Default principal: rvchinta@CHRSV.COM

Valid starting Expires Service principal
05/12/17 10:32:30 05/12/17 20:32:30 krbtgt/CHRSV.COM@CHRSV.COM
renew until 05/19/17 10:32:30
[rvchinta@mas1 ~]$ hdfs dfs -ls /
Found 11 items
drwxrwxrwx - yarn hadoop 0 2017-05-08 21:14 /app-logs
drwxr-xr-x - hdfs hdfs 0 2017-05-08 21:16 /apps
drwxr-xr-x - yarn hadoop 0 2017-05-08 21:01 /ats
drwxr-xr-x - hdfs hdfs 0 2017-05-08 21:02 /hdp
drwxr-xr-x - mapred hdfs 0 2017-05-08 21:02 /mapred
drwxrwxrwx - mapred hadoop 0 2017-05-08 21:02 /mr-history
drwxr-xr-x - hdfs hdfs 0 2017-05-09 13:17 /ranger
drwxrwxrwx - spark hadoop 0 2017-05-12 10:53 /spark-history
drwxrwxrwx - spark hadoop 0 2017-05-12 10:52 /spark2-history
drwxrwxrwx - hdfs hdfs 0 2017-05-12 08:44 /tmp
drwxr-xr-x - hdfs hdfs 0 2017-05-09 10:05 /user

issue is with SPN

[root@mas1 rvchinta]# su hdfs
[hdfs@mas1 rvchinta]$ klist
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh)
[hdfs@mas1 rvchinta]$ kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-hwhc@CHRSV.COM
[hdfs@mas1 rvchinta]$ klist
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh)
[hdfs@mas1 rvchinta]$

how do i address this issue?

I currently am using Centrify express with DirectManage Deployment Manager installed on Server 2012 R2 linked to my Domain controller. I am trying to update the agents on my Mac computers (Currently 5.3.0-214) but I am getting a error about my OS revision.

Unknown OS revision 10.12.4

Is there a updated agent that supports this version of Mac OS? if so how do I get it?

I am trying to figure out how to do GPO's with Centrify Express. Is this possible?

I am only looking for a policy that can help with password requirements/expiration.

Thank you,

Jay

Trying to use a CAC card on my mac. I've been through all the steps on militarycac.com and I still get the error code in the subject line of this message when I try to use it with chrome. Also getting error codes with Firefox and Safari. Please help.

Hello all, 

I am a brand new user for Centrify.  I have joined because I am searching for a method to integrate SAML SSO solution for my Redmine implementation.  Accordign to the instructions I have found I would need to login to the dashboard and download the required certificate.  The problem is, I cannot find the dashboard.  I don't know if that is because my new account is limited or because I am overlooking it somehow.  I just want to know if I can make this work using Centrify as my Identity Provider.

I have the OmniAuth SAML plugin installed.

• Redmine requirements for SSO Before you configure the Redmine web application for SSO, you need the following: 
• An active Redmine account with administrator rights for your organization. 
• A signed certificate. You can either download one from Admin Portal or use your organization’s trusted certificate.
•  Redmine OmniAuth SAML plugin. For more information see:

Hi, 

Just want to confirm if Centrify is affected by SambaCry.

We have a few hundred RHEL machines with some Samba stand-alone installed on it but not enabled. We are planning to uninstall Samba altogether. My concern are the following:

1. Wil Centrify be affected by uninstalling Samba in the machines

2. Is Centrify affected by SambaCry

3. If yes, do we have any patch?

I hope you can direct to the resources here. Thanks in advance

After installing the Centrify Smart Card Assistant, it insert my smart card but the cert goes into a different keychain in the Apple keystore... I was using Java to access my Apple Keystore but none of the certificates installed by the Smart Card Assistant were accessible by Java.

Hello,

We have been logging to the Centrify admin/manager portal using one credential for long time. But I cannot login to that site right now.

Can the admin please look into that and enable me to proceed with the login?

This is relatively urgent.

Regards,
Ganesan

hi,

I have finally got Centrify Express to work for most cases on Ubuntu laptops. Facing two different sets of problems and would be great to get some advice on them. 

1. The laptops connect to AD through VPNs but they are not always on VPN. From what I have seen if the VPN is on and a login session is simulated, the latest settings are always fetched. But when VPN is off, it uses cached credentials. The question I had was other than the login event, when does the client fetch the settings? I assume adgpupdate is not supported for Express - so is there some standard periodicity for refresh? The problem I have is when users log out and log back in, their VPN is gone and so if that is the only event triggering a refresh it may never work for some users. 

2. I am having a tough time understanding which all policies get applied on Ubuntu laptops. I did some searching and saw many posts around group-policies/templates etc. But our requirement is fairly basic - for eg, locking screen with idle time of 2 minutes and forcing a password-unlock. If I set those policies in AD through "Group Policy Management Editor > User configuration > Policies > Administrative Templates > Control Panel > Personalization > Screensaver timeout" I do not see them getting applied on Ubuntu. I do not have a /var/centrifydc/reg folder too. So does it mean these kind of policies will not work in the Express edition? Password length etc constraints seem to work fine. Hence the confusion. Please let me know if there are other ways of enforcing a screen lock if not through these group policies. 

Thanks,

Vikram

We are using .  For some reason, we have been getting authentication errors once a minute on our DC.  It has been on the domain for almost two years now.  These errors may have been going on that long.

Jul 14 10:03:54 DC1.domain.local MSWinEventLog<009>2<009>Security<009>191929351<009>Fri Jul 14 10:03:52 2017<009>4776<009>Microsoft-Windows-Security-Auditing<009><009>N/A<009>Audit Failure<009>DC1.domain.local<009>14336<009>The computer attempted to validate the credentials for an account.<013><010><013><010>Authentication Package:<009>MICROSOFT_AUTHENTICATION_PACKAGE_V1_0<013><010>Logon Account:<009>COMPUTER-NAME$<013><010>Source Workstation:<009>COMPUTER-NAME<013><010>Error Code:<009>0xc000006a

 install.sh ************** rev = 2015.1 (5.2.3-415) *****************
Wed Sep 30 11:32:41 MDT 2015

Hello,

After I configure multiple Office 365 Apps in Centrify portal, I get the following error when acccessing the Office 365 - SharePoint portal for one of my tenants:

Unable to Launch Application

• If yes, how to fix the error?
• If not, how can we Centrify access for multiple tenants (different UPN suffixes)?

Please shed some light on this behavior.

Regards,
Ganesan

Hi there,

I just upgraded my clients to centrify express 2017.1

After the upgrade; all of my clients are now only reporting the "root" user account as GID O (zero) local account on the system.  Before the upgrade, the clients were successfully taking the GID from AD of the user [domain]\root

I have checked in the forums and tried to remove "root" from the user.ignore file and done the adreload and adflush to no avail.  All the systems are still only taking the local root and not the Active Directory account into consideration.  This is a problem.  I can roll back the clients, but that will be time consuming.

What else can be done for this?  Centrify Express.

Thank you.

Hi all,

I am browing through the centrify.conf file to see if there is a way to chage the directory in which user accounts are created. This is because I wanted to write a script to delete all of the existing users after every reboot.

Does anyone know how to do this or if the .conf file is configurable to allow this? Many thanks!

Hello and thanks in advance for your help!

I am currently trying to implement a samba share on a Centos 7.3 server. I installed the latest centrify express package and ran the adbindproxy.pl script apparently successfully. But when testing with smbclient, I am only able to list the shares through anonymous login.

smbclient -L server-name.domain.com -U jay.baker

returns `NT_STATUS_LOGON_FAILURE`

Here's the relevant bit from the samba logs:

[2017/07/17 17:00:28.953020,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [jay.baker] -> [jay.baker] -> [DOMAIN\jay.baker] succeeded
[2017/07/17 17:00:28.953075,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/17 17:00:28.953104,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/07/17 17:00:28.953156,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/17 17:00:28.953170,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/07/17 17:00:28.953264,  1] ../source3/auth/token_util.c:935(create_token_from_username)
  lookup_name_smbconf for DOMAIN\jay.baker failed
[2017/07/17 17:00:28.953283,  1] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_NO_SUCH_USER
[2017/07/17 17:00:28.953349,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/07/17 17:00:28.958716,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (failed to receive smb request)
[2017/07/17 17:00:28.978007,  3] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

To me, it looks like authentication with our domain controllers is succeeding, but then samba thinks the user isn't authorized.

Here's our current samba config at /etc/samba/smb.conf:

#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
    security = ADS
    realm = DOMAIN.COM
    workgroup = DOMAIN
    netbios name = server-name

    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
    #valid users = @"DOMAIN\Domain Admins"

    log level = 3
    #
    # Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
    # with "kerberos method".  The directive "kerberos method = secrets and keytab"
    # enables Samba to honor service tickets that are still valid but were
    # created before the Samba server's password was changed.
    #
    kerberos method = secrets and keytab

    #
    # Setting "client use spnego principal" to true instructs SMB client to 
    # trust the service principal name returned by the SMB server. Otherwise, 
    # client cannot be authenticated via Kerberos by the server in a different
    # domain even though the two domains are mutually trusted.
    #
    #client use spnego principal = true

    #
    # Setting send spnego principal to yes .
    # Otherwise, it will not send this principal between Samba and Windows 2008
    #
    #send spnego principal = Yes

    # If your Samba server only serves to Windows systems, try server signing = mandatory.
    server signing = auto

    client ntlmv2 auth = yes
    client use spnego = yes 


    template shell = /bin/bash

    winbind use default domain = Yes

    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes

    idmap cache time = 0

    #ignore syssetgroups error = No
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 200000000
    idmap config * : base_tdb = 0
    enable core files = false

    # Disable Logging to syslog, and only write log to Samba standard log files.
    #syslog = 0

[samba-test]
    path = /samba-test
    public = yes
    read only = No
    valid users = Domain\domain_admins
    force group = Domain\domain_admins
    guest ok = Yes

I have tried a lot of different permutations of this file lol, pretty much any samba stackoverflow or blog post I could find and no matter what I try, I get the same main error of:

lookup_name_smbconf for DOMAIN\jay.baker failed

I'm assuming it's just something stupidly simple that I haven't yet discovered in my samba config. If anyone has seen the same problem, or has any suggestions, any help would be greatly appreciated!

Are there any benefits of using centrify sshd over local ssh? Please share

Hi,

I have a CentOS 7 server set up and running with x2go so that I can access xfce remote desktops via an SSH tunnel. I can log in fine using x2go with a local user account. I've just installed Centrify Express as I want to allow AD users to also log in using x2go. I can ssh in to the server as an AD user without any problem, however, when I try to log in using x2go the session fails. If I debug on the x2go client side I get the following:

Info: Proxy running in client mode with pid '11430'.

Session: Starting session at 'Sun Jul 23 10:11:55 2017'.

Info: Connecting to remote host 'localhost:51231'.

Info: Connection to remote proxy 'localhost:51231' established.

"

x2go-DEBUG-../src/sshprocess.cpp:109> New TCP connection.

x2go-DEBUG-../src/sshprocess.cpp:114> New socket: 19

x2go-DEBUG-../src/sshmasterconnection.cpp:1516> Creating new channel.

x2go-DEBUG-../src/sshmasterconnection.cpp:1520> New channel:0x7fc283e77030

x2go-DEBUG-../src/sshmasterconnection.cpp:1526> Forwarding new channel, local port: 49880

x2go-DEBUG-../src/sshmasterconnection.cpp:1544> New channel forwarded.

x2go-DEBUG-../src/sshmasterconnection.cpp:1703> "channel_write failed." - "Remote channel is closed"

x2go-DEBUG-../src/sshprocess.cpp:463> I/O error: "channel_write failed."" - Remote channel is closed" (2).

x2go-DEBUG-../src/sshmasterconnection.cpp:1746> EOF sent.

x2go-DEBUG-../src/sshmasterconnection.cpp:1750> Channel closed.

x2go-DEBUG-../src/onmainwindow.cpp:6014> Proxy wrote on stderr: "Error: The remote NX proxy cl"

x2go-DEBUG-../src/onmainwindow.cpp:6014> Proxy wrote on stderr: "osed the connection.

Error: Failure negotiating the session in stage '7'.

Error: Wrong version or invalid session authentication cookie.

Session: Terminating session at 'Sun Jul 23 10:11:55 2017'.

Session: Session terminated at 'Sun Jul 23 10:11:55 2017'.

"

x2go-DEBUG-../src/onmainwindow.cpp:5871> Deleting Proxy.

x2go-DEBUG-../src/onmainwindow.cpp:5920> Waiting for proxy to exit.

x2go-DEBUG-../src/onmainwindow.cpp:5940> Checking exit status.

On the server side if I have sshd in debug mode the AD user gets authenticated but then connection to the port that x2go randomly chooses on the server is refused (port 48957 on this occasion).

Jul 23 10:16:51 server-hostname sshd[28472]: debug1: Forked child 16149.

Jul 23 10:16:51 server-hostname sshd[16149]: Set /proc/self/oom_score_adj to 0

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: inetd sockets after dupping: 3, 3

Jul 23 10:16:51 server-hostname sshd[16149]: Connection from <client-ip> port 60287 on <server-ip> port 22

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: Client protocol version 2.0; client software version libssh-0.7.3

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: no match: libssh-0.7.3

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: Enabling compatibility mode for protocol 2.0

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SELinux support enabled [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: permanently_set_uid: 74/74 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SSH2_MSG_KEXINIT sent [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SSH2_MSG_KEXINIT received [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kex: curve25519-sha256@libssh.org need=32 dh_need=32 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kex: curve25519-sha256@libssh.org need=32 dh_need=32 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SSH2_MSG_NEWKEYS sent [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SSH2_MSG_NEWKEYS received [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: KEX done [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: userauth-request for user <AD-username> service ssh-connection method none [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: attempt 0 failures 0 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: initializing for "<AD-username>"

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: setting PAM_RHOST to "<client-ip>"

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: setting PAM_TTY to "ssh"

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: userauth-request for user <AD-username> service ssh-connection method keyboard-interactive [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: attempt 1 failures 0 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: keyboard-interactive devs  [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: auth2_challenge: user=<AD-username> devs= [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: kbdint_alloc: devices 'pam' [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: Postponed keyboard-interactive for <AD-username> from <client-ip> port 60287 ssh2 [preauth]

Jul 23 10:16:51 server-hostname sshd[16153]: debug1: do_pam_account: called

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: num PAM env strings 0

Jul 23 10:16:51 server-hostname sshd[16149]: Postponed keyboard-interactive/pam for <AD-username> from <client-ip> port 60287 ssh2 [preauth]

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: do_pam_account: called

Jul 23 10:16:51 server-hostname sshd[16149]: Accepted keyboard-interactive/pam for <AD-username> from <client-ip> port 60287 ssh2

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: monitor_child_preauth: <AD-username> has been authenticated by privileged process

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: monitor_read_log: child log fd closed

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: SELinux support enabled

Jul 23 10:16:51 server-hostname sshd[16149]: debug1: PAM: establishing credentials

Jul 23 10:16:51 server-hostname sshd[16149]: pam_unix(sshd:session): session opened for user <AD-username> by (uid=0)

Jul 23 10:16:51 server-hostname sshd[16149]: User child is on pid 16161

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: PAM: establishing credentials

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: permanently_set_uid: 1619015552/1619015552

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: Entering interactive session for SSH2.

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: server_init_dispatch_20

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: server_input_channel_open: ctype session rchan 43 win 64000 max 32768

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: input_session_request

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: channel 0: new [server-session]

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: session_new: session 0

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: session_open: channel 0

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: session_open: session 0: link with channel 0

Jul 23 10:16:51 server-hostname sshd[16161]: debug1: server_input_channel_open: confirm session

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: server_input_channel_req: channel 0 request exec reply 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_by_channel: session 0 channel 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_input_channel_req: session 0 req exec

Jul 23 10:16:52 server-hostname sshd[16161]: Starting session: command for <AD-username> from <client-ip> port 60287

Jul 23 10:16:52 server-hostname sshd[16149]: debug1: session_new: session 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: Received SIGCHLD.

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_by_pid: pid 16162

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_exit_message: session 0 channel 0 pid 16162

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_exit_message: release channel 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: server_input_channel_open: ctype session rchan 44 win 64000 max 32768

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: input_session_request

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: channel 1: new [server-session]

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_new: session 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_open: channel 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_open: session 1: link with channel 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: server_input_channel_open: confirm session

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_by_channel: session 0 channel 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_close_by_channel: channel 0 child 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_close: session 0 pid 0

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: channel 0: free: server-session, nchannels 2

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: server_input_channel_req: channel 1 request exec reply 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_by_channel: session 1 channel 1

Jul 23 10:16:52 server-hostname sshd[16161]: debug1: session_input_channel_req: session 1 req exec

Jul 23 10:16:52 server-hostname sshd[16161]: Starting session: command for <AD-username> from <client-ip> port 60287

Jul 23 10:16:52 server-hostname sshd[16149]: debug1: session_new: session 0

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: Received SIGCHLD.

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_by_pid: pid 16241

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_exit_message: session 1 channel 1 pid 16241

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_exit_message: release channel 1

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_by_channel: session 1 channel 1

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_close_by_channel: channel 1 child 0

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: session_close: session 1 pid 0

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 1: free: server-session, nchannels 1

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: server_input_channel_open: ctype direct-tcpip rchan 45 win 64000 max 32768

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: server_request_direct_tcpip: originator localhost port 51068, target localhost port 48597

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: connect_next: host localhost ([::1]:48597) in progress, fd=8

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 0: new [direct-tcpip]

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: server_input_channel_open: confirm direct-tcpip

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 0: connection failed: Connection refused

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: connect_next: host localhost ([127.0.0.1]:48597) in progress, fd=9

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 0: connection failed: Connection refused

Jul 23 10:16:57 server-hostname sshd[16161]: error: connect_to localhost port 48597: failed.

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: channel 0: free: direct-tcpip, nchannels 1

Jul 23 10:16:57 server-hostname sshd[16161]: channel_by_id: 0: bad id: channel free

Jul 23 10:16:57 server-hostname sshd[16161]: Disconnecting: Received ieof for nonexistent channel 0.

Jul 23 10:16:57 server-hostname sshd[16161]: debug1: do_cleanup

Jul 23 10:16:57 server-hostname sshd[16149]: debug1: do_cleanup

Jul 23 10:16:57 server-hostname sshd[16149]: debug1: PAM: cleanup

Jul 23 10:16:57 server-hostname sshd[16149]: debug1: PAM: closing session

Jul 23 10:16:57 server-hostname sshd[16149]: pam_unix(sshd:session): session closed for user <AD-username>

Jul 23 10:16:57 server-hostname sshd[16149]: debug1: PAM: deleting credentials

I'm pretty certain this is an issue with my Centrify Express settings because I previously had PBIS Open installed (now completely removed) and it worked with x2go without any issues. Can anyone provide any suggestions as to why the connection might be refused? Many thanks in advance.

All the best

Chris