Network and Storage Protocols

Domain user based FTP access

GAUDEY002
12,129 Views

Hi ,

I am trying to fix an FTP issue . The situation is , A domainuser (mydomain\user) while trying to ftp in to the filer and gets an error "530-Login incorrect-User has no home directory". Having said that there is already an exisiting domain user by the name rdm who can ftp to the filer and get to his home dir. The ftpd.auth_style   is mixed. So I understand that FTP server chooses NTLM authentication style for users logging in with domain credentials. Following are the steps I did to solve without any luck:

1. Added a user in the /etc/passwd file of the filer and generated an encrypted password with the command "cifs passwd anypassword" and copied the encrypted password in the /etc/passwd file. The syntax is as below

rdm:<encrypted password>:10000:10001:RDM FTP:/ /vol/company/logistics/Systems/rdm:

fintran:<encrypted password>:10002:10003:FINTRAN _FTP:/vol/company/FinanceSystems/COGNOS CSV FILES:

(fintran & rdm  are users)

2. Edited the /etc/usermap.cfg file with "mydomain\fintran = = fintran " . The user map file also contains mydomain\rdm = = rdm

3. Options ftpd.dir.override “ ”        (prior to executing this command, the value of   ftpd.dir.override           /vol/company/logistics/Systems/rdm). This value was set for domain user rdm to ftp to the filer and get to this directory .

4. The ftpd options are set as

ftpd.3way.enable             off

ftpd.anonymous.enable        off

ftpd.anonymous.home_dir

ftpd.anonymous.name          anonymous

ftpd.auth_style              mixed

ftpd.dir.override            " "

ftpd.dir.restriction         off

ftpd.enable                  on

ftpd.idle_timeout            900s       (value might be overwritten in takeover)

ftpd.locking                 none

ftpd.log.enable              on

ftpd.log.filesize            512k

ftpd.log.nfiles              6

ftpd.max_connections         500        (value might be overwritten in takeover)

ftpd.max_connections_threshold 0%         (value might be overwritten in takeover)

ftpd.tcp_window_size         28960

"mydomain\rdm" is an already exisiting working user who is able to login to the filer as FTP and get access to his directory as specified.  After having the above settings in place, it is observed that only local user "fintran" has access to the filer as FTP and get access to his default home dir as mentioned in the /etc/passwd file. But when tried with domain credentials (mydomain\fintran), he gets the "login incorrect" error. More interestingly the working user "mydomain\rdm" who had access to his home directory "/vol/company/logistics/Systems/rdm"  lost his access and gets the error "Login incorrect-User has no home directory". Upon setting the "ftpd.dir.override"  back to /vol/company/logistics/Systems/rdm , rdm is able to access with his domain credentials. The irony is mydomain\fintran needs access to "/vol/company/FinanceSystems/COGNOS CSV FILES" . Can anyone suggest if I am missing something? Is the setup correct? How can I make both domain users mydomain\fintran and mydomain\rdm have access to their resprective home directories. Any suggestions will be greatly appreciated.

Thanks in advance

-Dey

7 REPLIES 7

GAUDEY002
12,129 Views

Just trying to make the question short   . Can every AD domain user have his own individual home directory? For a local user, it can be achieved by editing /etc/passwd file with the username and home dir path. So far what I have seen ,  multiple domain users can login to the filer with FTP but can get access to only one home directory which is specified under

ftpd.dir.override . For example, if the option ftpd.dir.override is set to /vol/volname/orange then all the domain users get redirected to /vol/volname/orange which is obvious. If I remove the ftpd.dir.override option to " " , then no domain user is able to login. From what I have seen , multiple domain users can FTP to filer but their home directory is common. Is this a restriction? Or have I missed some trick in configuring? Has anyone observed similar behavior?

Thanks for any ideas

Dey

kumaraysun
12,129 Views

HI Gaureb

You should be able to make the CIFS work with DOmain account . There is a file etc/cifs_homedir.cfg which need to contain the home directory path and then typing options cifs.home_dir should list the correct home directory path.

Check the link below for more information

https://kb.netapp.com/support/index?page=content&id=2012332&actp=LIST_RECENT&viewlocale=en_US&searchid=1331214278983

Kumaresan

GAUDEY002
12,129 Views

Thanks for the response Kumaresan. For some reason, I am not authorized to access the link. Would it be possible for you to send the contents of the link to my email id.. gaurab.dey@hotmail.com

Many thanks for the response.

-Dey

kumaraysun
12,129 Views

Hi dey

Find the contents below

FTP connection using NTLM authentication fails with 530 Login incorrect - User has no home directory

KB ID: 2012332Version: 2.0Published date: 04/20/2011
Categories: Troubleshooting, Data ONTAP 7G


Symptoms

When attempting to open an FTP connection with the filer, it fails with client error: 530 Login incorrect - User has no home directory

Change home directory names to all lowercase letter


Cause

BUG 154006


Solution

If the options ftpd.auth_style is set to NTLM:
1.Confirm that a Common Internet File System protocol (CIFS) home directory has been set. This is the home directory that FTP will use. For Data ONTAP prior to 6.4, to set the CIFS home directory, use options cifs.home_dir
For Data ONTAP 6.4 and newer, set the CIFS home directory by editing the /etc/cifs_homedir.cfg file and then running cifs homedir load command to activate the changes.

2.Confirm that the user's home directory has been created at the specified path. The home directory must be named the same as the user's login name. For example, user johnd's home directory would be named johnd.
3.Confirm that the user is logging in as DOMAIN\username or username@domain.
4.Check that the user's home directory does not contain uppercase letters. If it does, change these to lowercase letters and try again. The FTP process in DataONTAP performs the home directory lookup using all-lowercase letter. As FTP is case-sensitive, this login fails if uppercase letters are used in the home directory names.
Bug 154006 is currently open to track this issue. For details and to check whether this bug is fixed, please see the Bugs Online Report at BUG 154006.

5.A Windows user with logon permissions limited to the server via CIFS will not be able to login to the filer via FTP using NTLM authentication. The user will need to be granted priviledges to login to the system using all services in order to access the filer FTP services.

Kumaresan

GAUDEY002
12,129 Views

Thanks Kumaresan, what should be the syntax of the /etc/cifs_homedir.cfg ?  Say for instance, domain\user wants to access /vol/volname/orange as a homedir . What should be the entry in the /etc/homedir.cfg file?

Regards,

Dey

kumaraysun
12,130 Views

Hi,

If the User wants to acess home dir then the path should be   /vol/volname/orange/<userloginname>.

About home directories on the storage system

Data ONTAP maps home directory names to user names, searches for home directories that you specify, and treats home directories slightly differently than regular shares

Data ONTAP offers the share to the user with a matching name. The user name for matching can be a Windows user name, a domain name followed by a Windows user name, or a UNIX user name.  Home directory names are not case-sensitive.

When Data ONTAP tries to locate the directories named after the users, it searches only the paths that you specify. These paths are called home directory paths. They can exist in different volumes.

The following differences exist between a home directory and other shares:

  • You cannot change the share-level ACL and the comment for a home directory.
  • The cifs shares command does not display the home directories.
  • The format of specifying the home directory using the Universal Naming Convention (UNC) is sometimes different from that for specifying other shares.

If you specify /vol/vol1/enghome and /vol/vol2/mktghome as the home directory paths, Data ONTAP searches these paths to locate user home directories. If you create a directory for jdoe in the /vol/vol1/enghome path and a directory for jsmith in the /vol/vol2/mktghome path, both users are offered a home directory. The home directory for jdoe corresponds to the /vol/vol1/enghome/jdoe directory, and the home directory for jsmith corresponds to the /vol/vol2/mktghome/jsmith directory

(https://library.netapp.com/ecmdocs/ECMM1278241/html/filesag/accessing/concept/c_oc_accs_about_home_directories_on_the_storage_system.html#c_oc_accs_ab...)

Kumaresan

DENISOZORIO
12,129 Views

Gaurab,

You solved your problem ? I am with same issue.

Thanks

Denis

Public