I have a really strange problem with my macOS Sierra Server. It is connected to the Active Directory server and limited access to the login window only for few people. This is working without any problem. (Really only these users are allowed to login on mac server with their domain credentials)
Now I activated SSH because I need this for GIT repositories. I gave the domain user access rights on using ssh but I always get "Permission denied" when I try to connect. If I use a local account it works.
In the logs I only can find:
com.openssh.sshd…. Service exited with abnormal status code 255
com.openssh.sshd…. Service exited with abnormal status code 1
Do you have any idea whats going wrong here?
Best Answer
Your question is hard to answer because it would need more details, AD and OS X configuration details as well as Group Policy settings.
In a new Active Directory environment with some joined OS X clients and an OS X server, the set up works as expected.
After creating a global security group SSH-OSXUsers and adding some arbitrary AD users one has to add this network group in macOS' Sharing PrefPane > Remote Login > Only these users > + > Network Groups > SSH-OSXUsers (or in the respective settings in Server.app).
To connect to this server I recommend to use
ssh user@hostnameorssh user@fqdn. With a proper PTR record for the OS X server in the reverse DNS tree, it should also work with the IP.Connecting with a user of the SSH-OSXUsers group who never logged on to the server host, you will get the error Could not chdir to home directory /Users/domainsshuser: No such file or directory because the user's home folder is missing, but you can execute commands.
If you connect with a managed network account or a mobile account user with a home folder on the server host you won't see this message.
One step to get a more detailed ssh error message may be changing the standard error path from /dev/null to /tmp/ssh.stderr in the launch daemon after disabling SIP.