This post is more than 5 years old
6 Posts
0
9546
EMC Isilon AD authentication for FTP
Have issues with having authentication to Isilon cluster over AD to send files to a share using FTP. Running 7.1.1 onefs on cluster
FTP to local works fine independently
AD authentication to cluster works fine independently
Only having issues when we try to combine these to and get it worked.
Any one have tried this before and if so please share the configuration/commands to get this going. Cases have been opened with support and no luck yet.
Yan_Faubert
117 Posts
0
October 22nd, 2014 06:00
I've used the referenced KB and I'm able to do whatever I want (i.e.: chroot all except certain users, chroot only certain users, use custom config, etc)
However, please note when using a custom config, the filename must match your full username that you use to login. In my case I logged in with a user 'YFISI\tohill'. So my custom config file is called 'YFISI\tohill' and NOT tohill.
In my setup below, only user 'YFISI\tohill' gets chroot and the chroot directory is /ifs/home/scratch as defined in its custom config file. All details below.
ftp config
Content of my '/ifs/vsftpd/user_config' dir and the custom file for 'YFISI\tohill'
Permissions on the /ifs/home/scratch directory:
When I login with the 'YFISI\tohill' user, this is what I get:
This is basically the content of the '/ifs/home/scratch' directory.
Yan_Faubert
117 Posts
0
October 21st, 2014 12:00
This is working fine for me. However please note you need to prefix the username with the domain name on the login prompt.
Example below using OneFS 7.1.1.1. My domain name is 'YFISI'.
I've enabled the 'Create Home Directory' option for this test to make things simpler. Here's a dump of my AD settings:
Yan_Faubert
117 Posts
0
October 21st, 2014 13:00
See output below. Also please note your AD provider must be in the system access zone.
ShirishAnumula
6 Posts
0
October 21st, 2014 13:00
Thanks for replying so quickly. I have exactly same settings with my domain on cluster, however issue persist.
Can you please send out put from below cluster please.
# isi ftp list
ShirishAnumula
6 Posts
0
October 21st, 2014 14:00
cluster1# isi ftp list
accept-timeout 60
allow-anon-access NO
allow-anon-upload YES
allow-dirlists YES
allow-downloads YES
allow-local-access YES
allow-writes YES
always-chdir-homedir YES
anon-chown-username root
anon-root-path /ifs/home/ftp
anon-umask 077
ascii-mode off
connect-timeout 60
data-timeout 300
dirlist-localtime NO
dirlist-names hide
file-create-perm 0666
local-root-path local user home directory
local-umask 077
server-to-server NO
session-support YES
session-timeout 300
user-config-dir /ifs/home/ftp/ftpconfigdir
denied-user-list (none)
limit-anon-passwords NO
anon-password-list (disabled)
chroot-local-mode Only chroot the local users in the exception list
chroot-exception-list EXS\x00xxxx
Here is my ftp setting, I want to achieve here is pointing AD user to a specific directory.
I have followed attached documented procedure and can not achieve it -->
Restrict users to a specific directory using a configuration file
Below is my error:
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/ifs/home/EXS/x00xxxx
500 OOPS: priv_sock_get_cmd
Connection closed by remote host.
Any idea how to redirect and point AD user to specific folder.
Thanks,
1 Attachment
How to lock FTP users into a specific directory (1).pdf
ShirishAnumula
6 Posts
0
October 22nd, 2014 07:00
Thanks for the input, i think that's where i was doing it wrong. Will
check and let you know.
Highly appreciate your help.
Shirish Anumula
Storage Admin
ShirishAnumula
6 Posts
0
October 22nd, 2014 09:00
Yan, thanks a ton for your quick response. Thankfull for such useful information
When using local user on cluster, ftp does work like a charm and files land is specified location in config directory.
However when ever i try with AD user it still point to
500 OOPS: cannot change directory:/ifs/home/EXS/e00XXX
500 OOPS: priv_sock_get_cmd
Connection closed by remote host.
Here are the settings:
isilon01-1# isi ftp ls
accept-timeout 60
allow-anon-access NO
allow-anon-upload YES
allow-dirlists YES
allow-downloads YES
allow-local-access YES
allow-writes YES
always-chdir-homedir YES
anon-chown-username root
anon-root-path /ifs/home/ftp
anon-umask 077
ascii-mode off
connect-timeout 60
data-timeout 300
dirlist-localtime NO
dirlist-names hide
file-create-perm 0666
local-root-path local user home directory
local-umask 077
server-to-server NO
session-support YES
session-timeout 300
user-config-dir /ifs/vsftpd/user_config
denied-user-list (none)
limit-anon-passwords NO
anon-password-list (disabled)
chroot-local-mode Only chroot the local users in the exception list
chroot-exception-list EXS\e00xxxx
shirish
isilon01-1# cat /ifs/vsftpd/user_config/EXS\\e00xxxx
local_root=/ifs/home/scratch
chroot_local_user=yes
isilon01-1# cat /ifs/vsftpd/user_config/shirish
local_root=/ifs/home/shirish
chroot_local_user=yes
isilon01-1# ls -lead /ifs/home/scratch
drwxrwx--- + 2 root wheel 19 Oct 22 08:28 /ifs/home/scratch
OWNER: user:root
GROUP: group:wheel
CONTROL:dacl_auto_inherited
0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
1: user:EXS\e00xxxx allow dir_gen_all,object_inherit,container_inherit
2: group:wheel allow dir_gen_read,dir_gen_execute
There may be some basic thing i am missing and can not find it. Check and see if there is any other setting or expression i am missing in this config
Yan_Faubert
117 Posts
1
October 22nd, 2014 14:00
I was able to reproduce your issue. Here's what I found out.
Even if you have the chroot feature configured, the vsftpd process still needs to access the user's home directory. As a test, I did the following for my user home directory to simulate your issue:
What this does is basically lock out the 'tohill' user from his home directory on the cluster. I then tried to ftp and I get the same error as you:
So even if I'm configured to land in /ifs/home/scratch, the ftp process still needs to access my home directory.
Can you check to ensure your home directory is there and has the correct ownership / permissions on it?
Once I've reconfigured my home directory permissions, I now land in /ifs/home/scratch and I'm locked in that dir:
ShirishAnumula
6 Posts
0
October 22nd, 2014 14:00
Thanks a ton, you just saved my further effort with support.
Its working great now. All it needs is a home directory and i was not
doing it.
Great !!!!!
Shirish Anumula
Storage Admin
bellonia
13 Posts
0
August 3rd, 2018 07:00
i guys i'm with onefs 8.1 i need to access via ftp an OneFS 8.1.x directly to a specific folder with an AD user, followed your hints but id does not work.
davetsao
1 Message
0
April 28th, 2020 17:00
Did you ever get support or help on this?
DELL-Sam L
Moderator
Moderator
•
7.1K Posts
0
April 29th, 2020 10:00
Hello Dave-Tsao,
Here is a knowledge base article that may help resolve your issue.
https://dell.to/2zznffJ
Please let us know if you have any other questions.