topic Re: Login over SSH - missing required capability in ONTAP Discussions

Login over SSH - missing required capability

rozle_palcar — Wed, 21 Jan 2015 14:42:20 GMT

Hello,

On one of our systems (FAS2040, DOT 8.1.3) we started to get errors about missing 'login-ssh' capability. Even if we create new user with administrative privileges we can't connect over SSH. Only 'root' and 'administrator' users are capable of connecting to system.

Here is overview of one of users with which we have problems:

User:

Name: splunkuser
Info:
Rid: 131081
Groups: Administrators

Group:

Name: Administrators
Info: Members can fully administer the filer
Rid: 544
Roles: root,admin

Roles:

Name: admin
Info: Default role for administrator privileges.
Allowed Capabilities: login-*,cli-*,api-*,security-*

Any ideas what could be problem? I tried to manually add 'login-ssh' role to this and other users, but it is the same. I also tried creating new user, but we hit same issue.

On partner node there is the same configuration of users, groups and roles and everything is working ok.

Best Regards,

Rozle

Re: Login over SSH - missing required capability

MOHIT_FUJITSU — Fri, 23 Jan 2015 13:29:55 GMT

First, login directly to the filer and then try SSH from the unix host.

Re: Login over SSH - missing required capability

rozle_palcar — Fri, 23 Jan 2015 13:41:05 GMT

It is the same - looks like it doesn't even recognize password. I am 100% sure password entered was correct, because I changed it with 'passwd' 10s before:

[xxx: sshd_2:info]: Failed password for splunkuser from xxxxxxxxxxx port 60446ssh2

And when we have login with key, we got:

[xxx:useradminx.unauthorized.user:warning]: User 'splunkuser' denied access - missing required capability: 'login-ssh'

Re: Login over SSH - missing required capability

JGPSHNTAP — Fri, 23 Jan 2015 15:33:10 GMT

Your splunkuser role is messed up...

You need to follow the splunk document for the app for splunk to make sure that you give it the rights perms for the app to work properly.

Re: Login over SSH - missing required capability

Vidhs — Thu, 02 Nov 2017 21:23:09 GMT

Noticed the same issue for me too.

User created in administrator group couldn't login while it can on the partner node without issues.

Upon all comparisions, noticed this change in options for 'security.admin.authentication'

Not working : security.admin.authentication nsswitch

working one : security.admin.authentication internal

changed this option to internal and could see user loggin in without any issues and resolves the problem.