remote client SSH connection disabled on AD accounts when server is "offline" (can't join AD))

[tofDou]

Hi, and thanks for any help .

I would like to handle several connection use cases on Windows OpenSSH server (SSH-2.0-OpenSSH_for_Windows_9.2).

All my use cases are based on pub/priv key authentication. I always try to create an ssh connection from a remote device using the actual logged windows users who host the SSH server (UF007QC is the name of my user in the next log files).

When the user has a local account => no problem
When the user has an AD account and AD is reachable => no problem
When the user has an AD account and AD not reachable (I pluged of my Ethernet cable to simplify test) => connection refused by SSH server

I would like to "bypass" the AD verification in these scenarios but i did not manage to do this.

Copy of a part of ssd log when SSH connection is accepted:
13080 2024-03-05 15:00:27.728 debug3: lookup_principal_name: Successfully discovered explicit principal name: 'net\\uf007qch'=>'[email protected]' 13080 2024-03-05 15:00:27.757 debug3: LsaLogonUser Succeeded (Impersonation: 1) 13080 2024-03-05 15:00:27.890 debug3: spawning "C:\\Program Files\\OpenSSH\\sshd.exe" -z as user 13080 2024-03-05 15:00:27.898 User child is on pid 22876

Copy of the same part when connection is refused:
2748 2024-03-05 15:14:09.857 error: lookup_principal_name: User principal name lookup failed for user 'net\\uf007qch' (explicit: 1355, implicit: 1355) 2748 2024-03-05 15:14:09.857 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'net\\uf007qch' Status: 0xC0000062 SubStatus 0. 2748 2024-03-05 15:14:09.857 debug3: get_user_token - unable to generate token for user net\\uf007qch 2748 2024-03-05 15:14:14.432 error: lookup_principal_name: User principal name lookup failed for user 'net\\uf007qch' (explicit: 1355, implicit: 1355) 2748 2024-03-05 15:14:14.432 debug1: generate_s4u_user_token: LsaLogonUser() failed. User 'net\\uf007qch' Status: 0xC0000062 SubStatus 0. 2748 2024-03-05 15:14:14.432 error: get_user_token - unable to generate token on 2nd attempt for user net\\uf007qch 2748 2024-03-05 15:14:14.432 error: unable to get security token for user net\\uf007qch 2748 2024-03-05 15:14:14.432 fatal: fork of unprivileged child failed 2748 2024-03-05 15:14:14.432 debug1: do_cleanup 6792 2024-03-05 15:14:14.432 debug2: pselect_notify_done: reading

[tofDou]

Perhaps nothing to do with AD connection or not but temporary miss-function ?:
See #2009 for a similar behaviour

[maertendMSFT]

This behavior seems like what is expected. Everything works except for when AD is not reachable. When AD is disconnected (we presume your domain controller is what you are disconnecting), then it makes sense that the principle name lookup failed, as it cannot connect to the domain controller.

Are we missing something here? Are our assumptions correct? If not, please clarify further.

[tofDou]

Yes and no ...
If this function should return error since the AD is not reachable, no matter for me but it shouldn't block the SFTP (SSH) connexion in my case.
To grant access to the SFTP (SSH) server, the client presents the curent logged Windows user and also private/public key pairs. I consider that in this case, OpenSSH should accept SFTP connexion whereas I'm online AND offline.

[tofDou]

lookup_principal_name is a function to get meta-data ? It has nothing to do in granting or not access as far as I understand... Is there no way to have a fallback or use something in cache when this function call fails?