Network and Storage Protocols
Network and Storage Protocols
We cannot seem to get this to work with domain users.
We are using this KB as a guide to setup passwordless ssh
https://kb.netapp.com/support/index?page=content&id=1011670
It is working for root and local users.
For domain users we have tested both naming conventions for folder names in /etc/sshd
/etc/sshd/username@domainname/.ssh/authenticated_keys
/etc/sshd/domainname\username/.ssh/authenticated_keys
It finds the keys, but ONTAP spits back:
User 'lab.demo\administrator' denied access - missing required capability: 'login-ssh'
Two separate environments with the same results. Again, we can get local users to work so the keys are good, and with domain users it is finding the keys.
I have tried useradmin group modify administrators -r admin,root to give maximum permissions, but still no luck. Just the default role of admin should be sufficient..
So getting SSH to work is one thing, but we are really trying to get passwordless SFTP working. Here is the error when we try with a domain user. The Authentication type for SFTP is mixed, we have also tried with NTLM
SFTP (SSH File Transfer Protocol) connection request from client system xxx.xxx.xxx.xxx, user lab.demo\administrator failed, because the user is not permitted to do SFTP (SSH File Transfer Protocol) operations.
Has anyone successfully implemented passwordless SFTP using domain credentials? Is this even supported?
Solved! See The Solution
This post is a bit old, but this KB(for SSH breaking when roles change) has the info you need. Any ssh based authentication, with AD accounts is not supported in ONTAP, and believe me I really wish it were. We have ran into a bug recently(2 months ago) and this KB was brought up to us as still being correct.
Use local filer accounts for SSH key exchange to avoid this issue. NetApp does not currently support key exchange with Active Directory accounts.
This post is a bit old, but this KB(for SSH breaking when roles change) has the info you need. Any ssh based authentication, with AD accounts is not supported in ONTAP, and believe me I really wish it were. We have ran into a bug recently(2 months ago) and this KB was brought up to us as still being correct.
Use local filer accounts for SSH key exchange to avoid this issue. NetApp does not currently support key exchange with Active Directory accounts.
Thanks for clearing this up!
Actually you can do this. I've set it up and use it daily. Send me a message and I'll explain if you are interested.
What was the fix?
@JERROD_FINN wrote:Actually you can do this. I've set it up and use it daily. Send me a message and I'll explain if you are interested.
