Network Storage Protocols Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network Storage Protocols Discussions

Start a New Post

SSH key authentication using domain users? Then how about SFTP?

audifreakjim
‎2011-06-21 11:43 AM

We cannot seem to get this to work with domain users.

We are using this KB as a guide to setup passwordless ssh

https://kb.netapp.com/support/index?page=content&id=1011670

It is working for root and local users.

For domain users we have tested both naming conventions for folder names in /etc/sshd

/etc/sshd/username@domainname/.ssh/authenticated_keys

/etc/sshd/domainname\username/.ssh/authenticated_keys

It finds the keys, but ONTAP spits back:

     User 'lab.demo\administrator' denied access - missing required capability: 'login-ssh'

Two separate environments with the same results.  Again, we can get local users to work so the keys are good, and with domain users it is finding the keys.

I have tried useradmin group modify administrators -r admin,root to give maximum permissions, but still no luck.  Just the default role of admin should be sufficient..

So getting SSH to work is one thing, but we are really trying to get passwordless SFTP working.  Here is the error when we try with a domain user.  The Authentication type for SFTP is mixed, we have also tried with NTLM

     SFTP (SSH File Transfer Protocol) connection request from client system xxx.xxx.xxx.xxx, user lab.demo\administrator failed, because the user is not permitted to do SFTP (SSH File Transfer Protocol) operations.

Has anyone successfully implemented passwordless SFTP using domain credentials? Is this even supported?

0 Kudos
4 Replies
Reply
4 REPLIES 4

Re: SSH key authentication using domain users? Then how about SFTP?

columbus_admin
‎2011-07-08 07:08 AM

This post is a bit old, but this KB(for SSH breaking when roles change) has the info you need.  Any ssh based authentication, with AD accounts is not supported in ONTAP, and believe me I really wish it were.  We have ran into a bug recently(2 months ago) and this KB was brought up to us as still being correct.

Cause

Data ONTAP does not support key exchange with Active Directory Accounts.

Solution

Use local filer accounts for SSH key exchange to avoid this issue. NetApp does not currently support key exchange with Active Directory accounts.

https://kb.netapp.com/support/index?page=content&id=2012318

View solution in original post

0 Kudos
4 Replies
Reply

Re: SSH key authentication using domain users? Then how about SFTP?

audifreakjim
‎2011-07-11 08:30 AM

Thanks for clearing this up!

0 Kudos
4 Replies
Reply

Re: SSH key authentication using domain users? Then how about SFTP?

JERROD_FINN
‎2012-11-07 11:46 AM

Actually you can do this.  I've set it up and use it daily.  Send me a message and I'll explain if you are interested.

0 Kudos
4 Replies
Reply

Re: SSH key authentication using domain users? Then how about SFTP?

PC70
NetApp Alumni
‎2015-03-02 08:41 AM

What was the fix?

@JERROD_FINN wrote:

Actually you can do this.  I've set it up and use it daily.  Send me a message and I'll explain if you are interested.

 

0 Kudos
4 Replies
Reply
Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public