FTP Denying Logins

[Mark A]

I'm having trouble getting FTP to work properly. My goal is to get this working with TLS, but one step at a time.

When I initially tried this, I was able to get local user login working without TLS. Then I moved on to TLS and failed to get it to log me in. I would get the certificate, but it would reject the login credentials. I reverted back to no encryption. After doing so, FTP with local user login still doesn't work. Everytime I try to use the two accounts I created, I get an Access Denied error message (Using WinSCP). I do successfully connect to the server, but it denies access. Anonymous access works fine.

I'm doing all testing within my network, but all ports are correctly forwarded and can verify anonymous login works over the web. Below are the settings I felt would be necessary to include in my setup. Not that they're related, but SSH works properly.

FreeNAS-9.1.0-RELEASE-x64
IP address: 192.168.1.4

Went to Storage/Volumes/View Volumes
Checked Permissions on Data (primary volume) and datasets Data\Home & Data\Media.
All are set to Owner (User): Mark, Owner (Group) ftp, 777, Unix ACLs

I rechecked the ftp group and have added two users, Mark and FTPTest
Passwords have been reset to Mark and Ftp respectively and users are not locked
Home drive for Mark is /nonexistent and FTPTest is /mnt/Data/Home/FTPTest

In FTP settings these are the settings:
Port: 21
Clients: 5
Connections: 6
Login Attempts: 10
Timeout: 600
Allow Root Login: No
Allow Anonymous Login: Yes
Path: /mnt/Data/Media
Allow Local User Login: Yes
Display Login:
Allow Transfer Resumption: Yes
Always Chroot: No
Perform Reverse DNS lookups: No
Masquerade Address:
Enable TLS: No (THough I do want this to be encrypted)


I tried different configurations of the above and still no dice. I also tried deleting the certificate on my client PC but still doesn't work. Even tried an FTP tester online. Anonymous works (as expected) but no local users.

Any help is appreciated, Thanks!
-Mark

 

[dlavigne]

Home drive for Mark is /nonexistent and FTPTest is /mnt/Data/Home/FTPTest

Both of these need to be the drive/volume being shared by FTP.

 

[Mark A]

If I enable Always Chroot, wouldn't that automatically do that? Even if I enable Chroot, it doesn't work. I don't necessarily want people to FTP into their home directories, I want them to FTP into /mnt/Data/Media. Anonymous is still able to connect to /mnt/Data/Media even without a home directory.

 

[dlavigne]

From the manual:

Home Directory
browse button
leave as /nonexistent for system accounts, otherwise browse to the name of an existing volume or dataset that the user will be assigned permission to access

Basically, the user has no access to shares until their home directory is set to the desired volume/dataset. If you want user accounts to FTP to /mnt/Data/Media, set that as their home directory.

 

[Mark A]

I set the home drive of a new user, Guest, to /mnt/Data/Media and they were able to login. I'm going to test this with encryption now.

Is it possible to add multiple FTP folders depending on the user? For example, if I add user John, and change his home directory to /mnt/Data/Home/John, would I be able to enable John to FTP to his home drive AND keep the Guest account to FTP to Media?

Really appreciate the help, thanks a bunch!

 

[dlavigne]

Yes. Even better, if you use datasets instead of folders (you can create datasets within datasets for a deeper structure), you can limit users to their own dataset as well as set properties such as quotas and compression on each user's dataset.

For example, if /mnt/Data is the volume and /mnt/Data/Home is a dataset, that could be the dataset that is shared by FTP. You could then create a dataset named John in /mnt/Data/Home and set /mnt/Data/Home/John as user John's home directory.

 

[Mark A]

Yes, /mnt/Data is the volume
/mnt/Data/Media, /mnt/Data/Home, and /mnt/Data/Home/John are all datasets and subdatasets.

I set Guests Home dir to /mnt/Data/Media and John's to /mnt/Data/Home/John.
I set the "PATH" in FTP settings to /mnt/Data Not exactly sure this is the right thing to do, but that ended up working properly. John logs into Johns home dir and Guest logs into Media dir.

Encryption works too. You are the best!


One last thing if you don't mind. I have ddns setup so now I'm trying an external connection to the FTP. When I try to connect, I get the following:

Error listing directory '/'

Server sent passive reply with unroutable address 192.168.1.4, using host address instead.
Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
Could not retrieve directory listing
Entering Passive Mode (192,168,1,4,69,178).

 

[titan_rw]

One last thing if you don't mind. I have ddns setup so now I'm trying an external connection to the FTP. When I try to connect, I get the following:

Error listing directory '/'

Server sent passive reply with unroutable address 192.168.1.4, using host address instead.
Transfer channel can't be opened. Reason: No connection could be made because the target machine actively refused it.
Could not retrieve directory listing
Entering Passive Mode (192,168,1,4,69,178).

See: http://forums.freenas.org/threads/f...ve-directory-listing-problem.6156/#post-58785

The issue is that ftp is 'hardish' to get working behind nat. Especially if both server and client are behind nat. You have to configure extra port forwarding on either the client or the server.

 

[Mark A]

Great thanks. I port forwarded ports 5001 - 5010 to the internal IP of freenas and added the min/max passive ports in the advanced section of the FTP settings to the same.

All looks good!