ShirishAnumula

6 Posts

9546

October 21st, 2014 11:00

EMC Isilon AD authentication for FTP

Have issues with having authentication to Isilon cluster over AD to send files to a share using FTP. Running 7.1.1 onefs on cluster

FTP to local works fine independently

AD authentication to cluster works fine independently

Only having issues when we try to combine these to and get it worked.

Any one have tried this before and if so please share the configuration/commands to get this going. Cases have been opened with support and no luck yet.

Responses(12)

Y

Yan_Faubert

117 Posts

0

October 22nd, 2014 06:00

I've used the referenced KB and I'm able to do whatever I want (i.e.: chroot all except certain users, chroot only certain users, use custom config, etc)

However, please note when using a custom config, the filename must match your full username that you use to login. In my case I logged in with a user 'YFISI\tohill'. So my custom config file is called 'YFISI\tohill' and NOT tohill.

In my setup below, only user 'YFISI\tohill' gets chroot and the chroot directory is /ifs/home/scratch as defined in its custom config file. All details below.

ftp config

yfvm-7111-2# isi ftp list

accept-timeout 60

allow-anon-access NO

allow-anon-upload YES

allow-dirlists YES

allow-downloads YES

allow-local-access YES

allow-writes YES

always-chdir-homedir YES

anon-chown-username root

anon-root-path /ifs/home/ftp

anon-umask 077

ascii-mode off

connect-timeout 60

data-timeout 300

dirlist-localtime NO

dirlist-names hide

file-create-perm 0666

local-root-path local user home directory

local-umask 077

server-to-server NO

session-support YES

session-timeout 300

user-config-dir /ifs/vsftpd/user_config

denied-user-list (none)

limit-anon-passwords NO

anon-password-list (disabled)

chroot-local-mode Only chroot the local users in the exception list

chroot-exception-list YFISI\tohill

Content of my '/ifs/vsftpd/user_config' dir and the custom file for 'YFISI\tohill'

yfvm-7111-2# pwd

/ifs/vsftpd/user_config

yfvm-7111-2# ls -l

total 26

-rw-r--r-- 1 root wheel 51 Oct 22 08:55 YFISI\tohill

yfvm-7111-2# cat YFISI\\tohill

local_root=/ifs/home/scratch

chroot_local_user=yes

Permissions on the /ifs/home/scratch directory:

yfvm-7111-2# pwd

/ifs/home

yfvm-7111-2# ls -led scratch

drwxrwxr-x + 2 root YFISI\domain use 26 Oct 22 09:21 scratch

OWNER: user:root

GROUP: group:YFISI\domain users

0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child

1: group:YFISI\domain users allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child

2: everyone allow dir_gen_read,dir_gen_execute

When I login with the 'YFISI\tohill' user, this is what I get:

Name (192.168.32.222:xxxxx): YFISI\tohill

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

Remote directory: /

ftp> dir

229 Entering Extended Passive Mode (|||27988|).

150 Here comes the directory listing.

-rw------- 1 ftp ftp 373 Oct 22 13:21 test.txt

226 Directory send OK.

This is basically the content of the '/ifs/home/scratch' directory.

Y

Yan_Faubert

117 Posts

0

October 21st, 2014 12:00

This is working fine for me. However please note you need to prefix the username with the domain name on the login prompt.

Example below using OneFS 7.1.1.1. My domain name is 'YFISI'.

client_host:~ faubert$ ftp 192.168.32.222

Connected to 192.168.32.222.

220-Isilon OneFS v7.1.1.1

220

Name (192.168.32.222:faubert): YFISI\faubert

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

Remote directory: /ifs/home/YFISI/faubert

I've enabled the 'Create Home Directory' option for this test to make things simpler. Here's a dump of my AD settings:

yfvm-7111-1# isi auth ads view yfisi.local -v

Name: YFISI.LOCAL

Machine Account: YFVM-7111$

Authentication: Yes

Status: online

Primary Domain: YFISI.LOCAL

Forest: yfisi.local

Site: yf

NetBIOS Domain: YFISI

Hostname: yfvm-7111.yfisi.local

Controller Time: 2014-10-21T15:43:49

Cache Entry Expiry: 4H

Node DC Affinity: -

Node DC Affinity Timeout: -

NSS Enumeration: No

SFU Support: none

Store SFU Mappings: No

Ignore All Trusts: No

Ignored Trusted Domains: -

Include Trusted Domains: -

Domain Offline Alerts: No

LDAP Sign And Seal: No

Lookup Users: Yes

Lookup Normalize Users: Yes

Allocate UIDs: Yes

Lookup Normalize Groups: Yes

Allocate GIDs: Yes

Lookup Domains: -

Lookup Groups: Yes

Assume Default Domain: No

Check Online Interval: 5m

Machine Password Changes: Yes

Machine Password Lifespan: 1M

Create Home Directory: Yes

Home Directory Template: /ifs/home/%D/%U

Login Shell: /bin/zsh

Y

Yan_Faubert

117 Posts

0

October 21st, 2014 13:00

See output below. Also please note your AD provider must be in the system access zone.

yfvm-7111-2# isi ftp list

accept-timeout 60

allow-anon-access NO

allow-anon-upload YES

allow-dirlists YES

allow-downloads YES

allow-local-access YES

allow-writes YES

always-chdir-homedir YES

anon-chown-username root

anon-root-path /ifs/home/ftp

anon-umask 077

ascii-mode off

connect-timeout 60

data-timeout 300

dirlist-localtime NO

dirlist-names hide

file-create-perm 0666

local-root-path local user home directory

local-umask 077

server-to-server NO

session-support YES

session-timeout 300

user-config-dir

denied-user-list (none)

limit-anon-passwords NO

anon-password-list (disabled)

chroot-local-mode No local users chrooted; exception list inactive

chroot-exception-list (none)

ShirishAnumula

6 Posts

0

October 21st, 2014 13:00

Thanks for replying so quickly. I have exactly same settings with my domain on cluster, however issue persist.

Can you please send out put from below cluster please.

# isi ftp list

ShirishAnumula

6 Posts

0

October 21st, 2014 14:00

cluster1# isi ftp list

accept-timeout 60

allow-anon-access NO

allow-anon-upload YES

allow-dirlists YES

allow-downloads YES

allow-local-access YES

allow-writes YES

always-chdir-homedir YES

anon-chown-username root

anon-root-path /ifs/home/ftp

anon-umask 077

ascii-mode off

connect-timeout 60

data-timeout 300

dirlist-localtime NO

dirlist-names hide

file-create-perm 0666

local-root-path local user home directory

local-umask 077

server-to-server NO

session-support YES

session-timeout 300

user-config-dir /ifs/home/ftp/ftpconfigdir

denied-user-list (none)

limit-anon-passwords NO

anon-password-list (disabled)

chroot-local-mode Only chroot the local users in the exception list

chroot-exception-list EXS\x00xxxx

Here is my ftp setting, I want to achieve here is pointing AD user to a specific directory.

I have followed attached documented procedure and can not achieve it -->

Restrict users to a specific directory using a configuration file

Below is my error:

331 Please specify the password.

Password:

500 OOPS: cannot change directory:/ifs/home/EXS/x00xxxx

500 OOPS: priv_sock_get_cmd

Connection closed by remote host.

Any idea how to redirect and point AD user to specific folder.

Thanks,

1 Attachment

How to lock FTP users into a specific directory (1).pdf

ShirishAnumula

6 Posts

0

October 22nd, 2014 07:00

Thanks for the input, i think that's where i was doing it wrong. Will

check and let you know.

Highly appreciate your help.

Shirish Anumula

Storage Admin

ShirishAnumula

6 Posts

0

October 22nd, 2014 09:00

Yan, thanks a ton for your quick response. Thankfull for such useful information

When using local user on cluster, ftp does work like a charm and files land is specified location in config directory.

However when ever i try with AD user it still point to

500 OOPS: cannot change directory:/ifs/home/EXS/e00XXX

500 OOPS: priv_sock_get_cmd

Connection closed by remote host.

Here are the settings:

isilon01-1# isi ftp ls

accept-timeout 60

allow-anon-access NO

allow-anon-upload YES

allow-dirlists YES

allow-downloads YES

allow-local-access YES

allow-writes YES

always-chdir-homedir YES

anon-chown-username root

anon-root-path /ifs/home/ftp

anon-umask 077

ascii-mode off

connect-timeout 60

data-timeout 300

dirlist-localtime NO

dirlist-names hide

file-create-perm 0666

local-root-path local user home directory

local-umask 077

server-to-server NO

session-support YES

session-timeout 300

user-config-dir /ifs/vsftpd/user_config

denied-user-list (none)

limit-anon-passwords NO

anon-password-list (disabled)

chroot-local-mode Only chroot the local users in the exception list

chroot-exception-list EXS\e00xxxx

shirish

isilon01-1# cat /ifs/vsftpd/user_config/EXS\\e00xxxx

local_root=/ifs/home/scratch

chroot_local_user=yes

isilon01-1# cat /ifs/vsftpd/user_config/shirish

local_root=/ifs/home/shirish

chroot_local_user=yes

isilon01-1# ls -lead /ifs/home/scratch

drwxrwx--- + 2 root wheel 19 Oct 22 08:28 /ifs/home/scratch

OWNER: user:root

GROUP: group:wheel

CONTROL:dacl_auto_inherited

0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child

1: user:EXS\e00xxxx allow dir_gen_all,object_inherit,container_inherit

2: group:wheel allow dir_gen_read,dir_gen_execute

There may be some basic thing i am missing and can not find it. Check and see if there is any other setting or expression i am missing in this config

Y

Yan_Faubert

117 Posts

1

October 22nd, 2014 14:00

I was able to reproduce your issue. Here's what I found out.

Even if you have the chroot feature configured, the vsftpd process still needs to access the user's home directory. As a test, I did the following for my user home directory to simulate your issue:

yfvm-7111-2# chown root:wheel /ifs/home/YFISI/tohill

What this does is basically lock out the 'tohill' user from his home directory on the cluster. I then tried to ftp and I get the same error as you:

Connected to 192.168.32.222.

220-Isilon OneFS v7.1.1.1

220

Name (192.168.32.222:xxxxxx): YFISI\tohill

331 Please specify the password.

Password:

500 OOPS: cannot change directory:/ifs/home/YFISI/tohill

ftp: Login failed

ftp> quit

500 OOPS: priv_sock_get_cmd

So even if I'm configured to land in /ifs/home/scratch, the ftp process still needs to access my home directory.

Can you check to ensure your home directory is there and has the correct ownership / permissions on it?

Once I've reconfigured my home directory permissions, I now land in /ifs/home/scratch and I'm locked in that dir:

# Change ownership on the cluster

yfvm-7111-2# chown 'YFISI\tohill:YFISI\Domain Users' tohill

# Now from the client it works OK

Connected to 192.168.32.222.

220-Isilon OneFS v7.1.1.1

220

Name (192.168.32.222:xxxxx): YFISI\tohill

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

Remote directory: /

ftp> dir

229 Entering Extended Passive Mode (|||34605|).

150 Here comes the directory listing.

-rw------- 1 ftp ftp 373 Oct 22 13:21 test.txt

226 Directory send OK.

ShirishAnumula

6 Posts

0

October 22nd, 2014 14:00

Thanks a ton, you just saved my further effort with support.

Its working great now. All it needs is a home directory and i was not

doing it.

Great !!!!!

Shirish Anumula

Storage Admin

bellonia

13 Posts

0

August 3rd, 2018 07:00

i guys i'm with onefs 8.1 i need to access via ftp an OneFS 8.1.x directly to a specific folder with an AD user, followed your hints but id does not work.

davetsao

1 Message

0

April 28th, 2020 17:00

Did you ever get support or help on this?

DELL-Sam L

Moderator

•

7.1K Posts

0

April 29th, 2020 10:00

Hello Dave-Tsao,

Here is a knowledge base article that may help resolve your issue.

https://dell.to/2zznffJ

Please let us know if you have any other questions.

View All

No Events found!