ONTAP Discussions

issue enabling sftp on ontap 7.3.2P6

infinitiguy
6,338 Views

Hi everyone,

I'd like to enable sftp on my filer with local accounts but I'm having some issues.  I seem to be able to authenticate with DOMAIN\username (although winscp gives some errors with transferring). I can not login with a unix style username.  I also can't authenticate with a local account - username.

I have the following sftp options set.  The local account I created is a member of the local Administrators group - as well as my domain account.  My domain account also has a unix user of the same username so there should be sufficient user mapping.  There is no user mapping set up for the local account (cucmbackup) that I created.

2050b> options sftp

sftp.auth_style              mixed     

sftp.bypass_traverse_checking on        

sftp.dir_override            /vol/sftp_mgnt_backups

sftp.dir_restriction         off       

sftp.enable                  on        

sftp.idle_timeout            900s       (value might be overwritten in takeover)

sftp.locking                 none      

sftp.log_enable              on        

sftp.log_filesize            512k      

sftp.log_nfiles              6         

sftp.max_connections         15         (value might be overwritten in takeover)

sftp.max_connections_threshold 75%        (value might be overwritten in takeover)

sftp.override_client_permissions off       

The error I'm getting is

2050b> Mon Jul 18 11:44:02 EDT [2050b: sftp.connection.request.failed:error]: SFTP (SSH File Transfer Protocol) connection request from client system 10.10.10.10, user cucmbackup failed, because the user is not permitted to do SFTP (SSH File Transfer Protocol) operations.

Mon Jul 18 11:44:02 EDT [2050b: sshd_2:error]: error: Disconnecting: SFTP connection creation failed

What could I be doing wrong?  From what I can tell this should work.  I am not trying to do public_key auth or anything like that, just standard username/passwords.

8 REPLIES 8

adamgross
6,248 Views

Here's the KB for setting that up -- https://kb.netapp.com/support/index?page=content&id=1012617

I think all you're missing is 'options sftp.auth_style unix' but walk through and double check.

infinitiguy
6,248 Views

quick question about this.

It seems to imply that if you're trying to do ldap authentication you skip adding the accounts to the passwd file (makes sense) but I'm unclear as to what is supposed to be written into /etc/group - which seems odd if you're only using passwords and no groups.  With regards to step 6 and on..  everything is all set.  I have my auth_style set to mixed so AD accounts can work.  When I set it to unix it doesn't help with unix auth unless it's because I don't have the groupname that my unix account is a member of in the local groups file.  Is that potentially the cause of my issues?  Would I just populate /etc/group with the same details of my ldaps account GID??

thokelly
4,871 Views

Hi,

 

 

and what is the solution without CIFS ??

 

"cifs passwd" does not work without CIFS.....

 

Greetings

 

 

foundationna
6,248 Views

Hello,

did you find a solution to your issue? I"m having the same problem - went through a ton of docs on ontop and nothing seems to work! I can log in just find using an AD account - but I can't use a local unix account! by the way I can SSH in just fine with my local account but not SFTP! i get either homedir not set or permssions are denied!

your response would be greatly apprecaited.

infinitiguy
6,248 Views

Unfortunately, I have not.  What's interesting is I get an error when logging in via winscp to the filer which I think might be truncating some of my uploads.  I also had a colleague attempt to back up an application to the filer and he said that the app said it was not a genuine SFTP server which is pretty strange in itself.

Filezilla seems to work fine with sftp, so I guess the error with winscp is just a bug. 

I am in the same boat as you.  I was able to ssh in as well using the local account.

foundationna
6,248 Views

It seems that there is no solution to this problem! I’m wondering if this is fixed in ontap 8.0? it’s got to be a permissions issue on the folder for the local account! Cause it works just fine with AD accounts.

infinitiguy
6,248 Views

I'm not sure about that.  I haven't found any BURT bugs, and the strange thing - at least in my case, is my local account has the same privs - administrator as the domain account, so I'd expect that if it was permissions my domain account would have issues.

I actually don't know how to enable sftp yet in ontap 8.  I'm running 8.0.1p4 on one of my filers and there is no sftp options anymore.  sftp isn't listening so I'm not sure how to turn it on.

foundationna
6,248 Views

I’m not sure either – I would use the domain account since it’s working just fine – but the issueis ; I can’t use RSA keys with it! we would like to use rsa authentication to sftp files to filer from shell scripts on one of our unix boxes. I never thought it would be this hard to setup sftp.

I had a couple of their engineers look at it – no go!

Public