We have an application (MOVEit Central) that connects to some Linux servers every 15min. Using pam, the machines are using usernames/groups from our Windows DC. When a normal user (in this case me) sshs to the box, we see this:

{this is a complete login/logoff}

Dec 8 10:40:26 stlxxxapp-prd1 sshd[4492]: pam_succeed_if(sshd:account): requirement "user ingroup unixmove" was met by user "er_wl215421"
Dec 8 10:40:26 stlxxxapp-prd1 sshd[4492]: Accepted publickey for er_wl215421 from 172.xx.xx.xxx port 1371 ssh2
Dec 8 10:40:26 stlxxxapp-prd1 sshd[4492]: pam_unix(sshd:session): session opened for user er_wl215421 by (uid=0)
Dec 8 10:40:28 stlxxxapp-prd1 sshd[4492]: pam_unix(sshd:session): session closed for user er_wl215421

When the service user account logs in, however, we see this:

Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.xx.xx.xxx user=srvmovitc
Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_winbind(sshd:auth): user 'srvmovitc' granted access
Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_succeed_if(sshd:account): requirement "user ingroup unixmove" was met by user "srvmovitc"
Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: Accepted password for srvmovitc from 172.xx.xx.xxx port 1384 ssh2
Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_unix(sshd:session): session opened for user srvmovitc by (uid=0)
Dec 8 10:41:31 stlxxxapp-prd1 sshd[5040]: pam_unix(sshd:session): session closed for user srvmovitc


I am confused as to why this specifically is occurring because the account is setup in AD the same as my own.

Dec 8 10:41:30 stlxxxapp-prd1 sshd[5040]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.22.19.123 user=srvmovitc