I tried this a few years ago but found that the only private key I could use was for "root". I didn't try any other local accounts as I was only interested in using my domain account or stay with root but it could be possible to use another local account. I am still interested to find out if this is possible to use a domain account with pub/priv key authentication. I would bet that another local account could use the authroized_keys for authentication but domain accounts can't due to the way it wants to use kerberos authentication and needs your password to do so. The secret key is good enough for the underlying BSD authentication module but not good enough to get a session ticket from a domain controller as the private key is not associated with active directory like your password.
Yes, I came to the same conclusion as well. I guess the only way to enable passwordless login in this case would be Kerberos, but as far as I can tell it is not supported by NetApp for user authentication.
Permission denied, user XXX does not have access to ?
filer> Thu Aug 23 13:23:35 CEST [filer: useradmin.unauthorized.user:warning]: User 'XXX' denied access - missing required capability: 'cli-?'
But if I connect with WIN\user and enter the password I have access to all commands.
Have you granted the cli- capabilities to the user you attempting to access as? The error above seems to indicate that user is not a member of a role that has these capabilities granted. You would need to use useradmin to add the user to a role that has cli capabilities granted or create a custom role for the user with those capabilities granted.
Try using eccentric to display information about your user before and after you did password login. When using public key, there is no way to verify your user. I suspect, logging in using password caches login information for later use.
Using GSS-API with Kerberos may provide a solution if filer supports it.
Отправлено с iPhone
21.01.2013, в 20:00, "STO DC Storage" <email@example.com<mailto:firstname.lastname@example.org>> написал(а):
You probably misunderstand the problem. Real user (domain user) does have the required capabilities, but there does not appear to be any way to let SSH authenticate domain user using public key. I could not find any information in documentation or knowledge base.
If you try to login as domain user using full domain name, public key authentication does not work. If you try to strip domain part, you can use public key, but in this case NetApp apparently does not see this user as domain user (and does not grant capabilities).