2011-07-18 09:14 AM
I'd like to enable sftp on my filer with local accounts but I'm having some issues. I seem to be able to authenticate with DOMAIN\username (although winscp gives some errors with transferring). I can not login with a unix style username. I also can't authenticate with a local account - username.
I have the following sftp options set. The local account I created is a member of the local Administrators group - as well as my domain account. My domain account also has a unix user of the same username so there should be sufficient user mapping. There is no user mapping set up for the local account (cucmbackup) that I created.
2050b> options sftp
sftp.idle_timeout 900s (value might be overwritten in takeover)
sftp.max_connections 15 (value might be overwritten in takeover)
sftp.max_connections_threshold 75% (value might be overwritten in takeover)
The error I'm getting is
2050b> Mon Jul 18 11:44:02 EDT [2050b: sftp.connection.request.failed:error]: SFTP (SSH File Transfer Protocol) connection request from client system 10.10.10.10, user cucmbackup failed, because the user is not permitted to do SFTP (SSH File Transfer Protocol) operations.
Mon Jul 18 11:44:02 EDT [2050b: sshd_2:error]: error: Disconnecting: SFTP connection creation failed
What could I be doing wrong? From what I can tell this should work. I am not trying to do public_key auth or anything like that, just standard username/passwords.
2011-07-18 10:52 AM
Here's the KB for setting that up -- https://kb.netapp.com/support/index?page=content&id=1012617
I think all you're missing is 'options sftp.auth_style unix' but walk through and double check.
2011-07-19 08:30 AM
quick question about this.
It seems to imply that if you're trying to do ldap authentication you skip adding the accounts to the passwd file (makes sense) but I'm unclear as to what is supposed to be written into /etc/group - which seems odd if you're only using passwords and no groups. With regards to step 6 and on.. everything is all set. I have my auth_style set to mixed so AD accounts can work. When I set it to unix it doesn't help with unix auth unless it's because I don't have the groupname that my unix account is a member of in the local groups file. Is that potentially the cause of my issues? Would I just populate /etc/group with the same details of my ldaps account GID??
2011-07-21 09:36 AM
did you find a solution to your issue? I"m having the same problem - went through a ton of docs on ontop and nothing seems to work! I can log in just find using an AD account - but I can't use a local unix account! by the way I can SSH in just fine with my local account but not SFTP! i get either homedir not set or permssions are denied!
your response would be greatly apprecaited.
2011-07-21 11:47 AM
Unfortunately, I have not. What's interesting is I get an error when logging in via winscp to the filer which I think might be truncating some of my uploads. I also had a colleague attempt to back up an application to the filer and he said that the app said it was not a genuine SFTP server which is pretty strange in itself.
Filezilla seems to work fine with sftp, so I guess the error with winscp is just a bug.
I am in the same boat as you. I was able to ssh in as well using the local account.
2011-07-21 11:54 AM
It seems that there is no solution to this problem! I’m wondering if this is fixed in ontap 8.0? it’s got to be a permissions issue on the folder for the local account! Cause it works just fine with AD accounts.
2011-07-21 12:16 PM
I'm not sure about that. I haven't found any BURT bugs, and the strange thing - at least in my case, is my local account has the same privs - administrator as the domain account, so I'd expect that if it was permissions my domain account would have issues.
I actually don't know how to enable sftp yet in ontap 8. I'm running 8.0.1p4 on one of my filers and there is no sftp options anymore. sftp isn't listening so I'm not sure how to turn it on.
2011-07-21 12:26 PM
I’m not sure either – I would use the domain account since it’s working just fine – but the issueis ; I can’t use RSA keys with it! we would like to use rsa authentication to sftp files to filer from shell scripts on one of our unix boxes. I never thought it would be this hard to setup sftp.
I had a couple of their engineers look at it – no go!