Topic: ftp login problem

[Maniac]

hi everyone,

everytime I want to connect to my ftp-server ftp://student@ftp.kaplan.net/ and give the password  I get "530 Login incorrect", but the passowrd isn't incorrect.
tried with fireftp, too.
I created a new account called "student" and an extra group for ftp access and public ftp access is active.

why won't it work?

[mmccarn]

I found that if I create a 'group' it is automatically added to /etc/ftpusers, so no member of the group can login... (all users get 'invalid password' error).  I've opened a bug: http://bugs.contribs.org/show_bug.cgi?id=3043

And here's a workaround.  It's in french, but you really only need to look at the code fragments: http://forums.contribs.org/index.php?topic=37168.0

[Maniac]

are you sure it is a bug? FTP is like one of the main functions and I want to create a simple login from the internet. I rather think of a mistake from myself..

nevertheless I tried the workaround, but didn't know how to put the second and third code. Do they both have to be put at the file created first?

thanks for helping  

[Maniac]

are you sure it is a bug? FTP is like one of the main functions and I want to create a simple login from the internet. I rather think of a mistake from myself..

nevertheless I tried the workaround, but didn't know how to put the second and third code. Do they both have to be put at the file created first?

thanks for helping  

[mmccarn]

I tried to setup 'group' level security for ftp access to ibays on my system, and found that all 'groups' are added to /etc/ftpusers by default, blocking access to all members of any group.

To find out if this post applies to your situation simply check your /etc/ftpusers file manually.  If it contains the name of either the user you are trying to use, or of any group to which that user belongs, you will not be able to login using FTP.

Use 'pico' or 'vi' to edit /etc/ftpusers and delete the offending user or group.  If you can now login using FTP you've identified the problem.

If you'd like to keep your 'groups' from being added back to /etc/ftpusers every time you create a user or ibay, modify a service, or install updates, I've outlined here how I did it on my system.

The changes described here should do no more than prevent SME group names from being added to /etc/ftpusers.


Mini How-To
To keep your 'groups' from being added to /etc/ftpusers:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/e-smith/pam/accounts.deny
cd /etc/e-smith/templates-custom/etc/e-smith/pam/accounts.deny
cp /etc/e-smith/templates/etc/e-smith/pam/accounts.deny/10passwordRequired  .
pico -w 10passwordRequired(be sure to include the dot at the end of the cp command...)
Now add the following between "my $type = $a->prop..." and "if ( $type...":

Code: [Select]

       next if ( $type =~ /(group)/ );When you're done, the file should look like this:

Code: [Select]

{
    use esmith::AccountsDB;
    my $adb = esmith::AccountsDB->open_ro();

    while ( my $name = getpwent )
    {
        next if ($name eq "admin");
        next if ($name eq "public") and ($ACCOUNTS_DENY_ALLOW_PUBLIC);

        my $a = $adb->get($name);
        next unless defined $a;

        my $type = $a->prop('type') || 'none';
        next if ( $type =~ /(group)/ );
        if ( $type =~ /(user|ibay)/ )
        {
            my $passwordSet = $a->prop('PasswordSet') || 'no';
            next if ($passwordSet eq "yes");

            my $ftpMode = $a->prop('PublicAccess') || 'none';
            next if ($ftpMode eq "local" or $ftpMode eq "global");
        }
        $OUT .= "$name\n";
    }
}

Lastly, of course:

Code: [Select]

expand-template /etc/ftpusers

[Maniac]

I'm sorry to say this doesn't seem to be the problem.
I edited the user's file and the user "student" isn't added automatically to the user's file anymore.
But there's still the "login incorrect 530" problem.

I thought about some possibilities:
- Do I need DynDns for FTP or is the "ftp.kaplan.net" domain already setted    up and ready to use?
- The Port 21 on my Router is already forwarded, but the SME-Server isn't listed in "attached devices". Is it possible that the router blocks my ftp traffic and I get the password error for that reason?

I tried ftp connection on LAN, there's no problem, but I need it online..

[mmccarn]

I created a new account called "student" and an extra group for ftp access

My original supposition was that you were trying to access your ftp using a username that belongs to a group -- and that the group was being automatically added to /etc/ftpusers.  All of my posts above are aimed at resolving a 'group' problem.  As you can logon from the local network this isn't your problem.

The Port 21 on my Router is already forwarded

I think FTP also uses port 20 in "Active" mode, or some random port above 1023 in "Passive" mode when uploading & downloading data: http://slacksite.com/other/ftp.html  The specific details of what to open to make FTP work are likely to be different on different makes and models of routers - an old Cisco would need step-by-step instructions while a new Linksys probably does some internal auto-magic to make FTP work if you simply open port 21.

the SME-Server isn't listed in "attached devices"

I presume you mean on your router...  we'd need to know what kind of router you're using and what that router requires in order to list something under "attached devices".  It seems likely to me that "attached devices" is either a synonym for "dhcp clients" or a synonym for "UPnP clients" and that not being listed in "attached devices" is not keeping your SME from working properly.

Do I need DynDns for FTP or is the "ftp.kaplan.net" domain already setted up and ready to use?

FTP does not use the domain name for server access the way httpd does - so, if your question is whether access should work by IP address then the answer is "yes".  If your question is whether setting up your SME server automagically registers your chosen domain name and publishes the DNS records for it, the answer is "no".  Test using your WAN IP unless you already know that your DNS name works (because webmail and http work by name from off-site, for example).

I tried ftp connection on LAN, there's no problem, but I need it online...

You will, of course, need to change the default FTP access permissions in server-manager:Security:Remote Access.  

In order for you to login using a password from the Internet, "FTP access" must be "Allow public access (entire Internet)" and "FTP password access" must be "Accept passwords from anywhere".  

If you run config show ftp you should see access=public and LoginAccess=public

[Maniac]

ok now I've some time again to manage the server. Sorry for not answering so long 

first thing: I managed to reach the server online, and I think I know after trying what seems to be the problem. I switched the "passive mode" off (at fire ftp) and there it worked.

the "password incorrect" problem was that i didn't use my actual IP but the domain's online name listed in the config. Now I know that it can't work because there's no DNS-service installed in standard. But I still wonder where this message comes from, I expect to get some "page not found" reply, like if I get on any other ftp://... domain.

Now I'm trying to find out why it won't work in passive mode, if i do that the last reply is
"227 Entering Passive Mode (192,168,0,10,128,78).
       LIST
"

There is no entry in the router's log file about something blocked, when I use Passive mode, and the passive mode is better for firewalls& routers anyway.
About your Questions:
I'm using a netgear router FR114p with firewall.
I actually use my Ip now for the adress, will install the DNS-service later.
Change the default FTP access permissions in server-manager is done.


what can be the reason for that?

[mmccarn]

'passive mode' is an odd beast - your off-site client connects to your server on port 21, then your server tries to connect back to your client using a randomly generated port number above 1024. 

The firewall at the client end needs to automagically recognize the 'call back' traffic from the ftp server and pass it through to your client.  I don't know how this is done, and I don't think it is trivial.  I think this is one of those "if it works, great; if it doesn't work, forget it" things -- unless you badly need 'passive mode' ftp for some reason...

Also, if you get passive mode working for one client you'll have to solve it again for every new client...

[Maniac]

ok, then I'm happy with that.
It would have been nice, if you could connect via Internet Explorer, for those who still use it and don't know anything about ftp but what you say sounds plausible.
I just tell them to unmark the passive mode..
tu, mmccarn!