KpyM Telnet/SSH Server - Forum
SFTP Permissions trouble |
JasonG |
SFTP Permissions trouble |
Apr 26 2011 14:13 |
|
Hi there,
I'm trying to configure sftp access for a specific domain user and have added the read/execute permissions for this user on the file-transfer.allowed (actually on all 3 for troubleshooting).
Yet, in the log I see the line:
1112 : 6856 2011- 4-18 15:51: 9 4 : 0: login refused: [ userName ] - Logon failure: the user has not been granted the requested logon type at this computer.
What makes me wonder is a domain user who is a member of machine\Administrators via the Domain Admins (has full control of file-transfer.allowed) is able to connect via sftp.
Anyone has ideas what I'm missing?
|
Kroum Grigorov |
|
Apr 26 2011 16:21 |
|
>Logon failure: the user has not been granted the requested logon type at this computer.
You need "logon locally" right granted to your user on the machine. This is the OS itself that denies logon to the user. Internally KTS will spawn a thread/proces under the indentity of your user but windows does not allow it since your user is denied to log on this machine.
Revert back your custom security on the *.allowed files, adjust the user rights on this machine and confirm your user can start a terminal session.
Then you can continue securing your box through *.allowed files
Kroum
|
JasonG |
|
Apr 28 2011 20:17 |
|
Thank you Kroum, you hit the nail on the head.
Guess I'm stuck with this (there's an AD policy for this OU denying logon locally for domain users) and need to move this service onto a different machine.
I can see the simplicity of the local thread running as a user. But maybe someday sftp can be a separate service which multiplex user sessions as separate threads under the service account. It's a thought anyway but then makes a lot of complication for security.
Thank you again and it is instructional reading through the code.
|
© 2007 - 2008 Kroum Grigorov