We cannot seem to get this to work with domain users.

We are using this KB as a guide to setup passwordless ssh

https://kb.netapp.com/support/index?page=content&id=1011670

It is working for root and local users.

For domain users we have tested both naming conventions for folder names in /etc/sshd

/etc/sshd/username@domainname/.ssh/authenticated_keys

/etc/sshd/domainname\username/.ssh/authenticated_keys

It finds the keys, but ONTAP spits back:

     User 'lab.demo\administrator' denied access - missing required capability: 'login-ssh'

Two separate environments with the same results.  Again, we can get local users to work so the keys are good, and with domain users it is finding the keys.

I have tried useradmin group modify administrators -r admin,root to give maximum permissions, but still no luck.  Just the default role of admin should be sufficient..

So getting SSH to work is one thing, but we are really trying to get passwordless SFTP working.  Here is the error when we try with a domain user.  The Authentication type for SFTP is mixed, we have also tried with NTLM

     SFTP (SSH File Transfer Protocol) connection request from client system xxx.xxx.xxx.xxx, user lab.demo\administrator failed, because the user is not permitted to do SFTP (SSH File Transfer Protocol) operations.

Has anyone successfully implemented passwordless SFTP using domain credentials? Is this even supported?