7.6 FTP (Pure-FTPd) and OES for AD Users

FTP file services on OES servers are provided by Pure-FTPd, a free (BSD), secure, production-quality and standard-conformant FTP server. The OES implementation includes support for FTP gateway functionality as on OES and offers a level of integration between AD and Pure-FTP that allows users to authenticate to AD for FTP access to the server.

This section discusses the following topics:

7.6.1 Planning for Pure-FTPd

Before installing Pure-FTPd, ensure that users requiring FTP access have access rights to the areas on the server they need to use.

7.6.2 Installing Pure-FTPd

To install Pure-FTPd, select the OES FTP pattern in the OES installation.

7.6.3 Home Directory Support in Pure-FTPd

The FTP server supports a home directory for users on local and remote CIFS servers. The remote server should be an OES server. When the home directory is set for the user in AD, the user is placed in the home directory on successful login to the OES server.

Pure-FTPd supports three levels of home directory, default home directory, a user specific home directory on the local system, and a user specific home directory identified by the value set in AD.

DefaultHomeDirectory or AD home directories can be disabled. If both of them are enabled, the following is used to establish the precedence:

  • User specific home directory set in AD

  • Default home directory

User Specific Home Directory in AD

An administrator can set the home directory for AD users as part of the User object in AD. On successful login to the FTP server, the user is placed in the home directory set in the user object. The User's home directory can exist either on the OES server that is hosting the FTP service or on any other OES server in the same tree.

A new EnableRemoteHomeDirectory option is now available to support this home directory. By default, this option is set to NO and the home directory set for the user in AD is ignored.

To enable AD based home directory support, you must set both EnableRemoteHomeDirectory and remote_server to YES. FTP will then read the user’s home directory from AD and mount it locally.

Default Home Directory

DefaultHomeDirectory indicates the path to the common home directory for all FTP users. On successful login to the Pure-FTPd, users are placed in the default home directory. The default home directory can be a locally mounted NSS path or on a remote CIFS share. The NSS volume can be configured by using the DefaultHomeDirectory and DefaultHomeDirectoryServer settings. If the home directory is on a remote server, use DefaultHomeDirectoryServer, and set the DNS name of the remote CIFS server. As with any NSS volume, the FTP client should have required rights over the NSS volume whether DefaultHomeDirectory is on a local or remote server or not.

The DefaultHomeDirectoryServer option is now available to differentiate whether DefaultHomeDirectory is on a local or remote server. By default, this option is set to NO so DefaultHomeDirectory points to a local path.

To set DefaultHomeDirectory to point to a remote CIFS server with a DNS entry, you must specify the full path to the remote server, including the share name. For example, DefaultHomeDirectory /sharename. You must also set both DefaultHomeDirectory and remote_server to YES.

NOTE:The following are not supported for AD users:

  • POSIX home directory

  • Trusted GID feature

Backslash in Input Paths

Support for backslashes in input path is provided. Using FTP client on Windows, you can use backslash as separator in the path. allow_backslash_in_path option is now available to allow back slash in the path. By default the option is set to NO.

7.6.4 Prerequisites

Ensure that the FTP server can resolve the DNS name of the remote OES server.

7.6.5 Configuring Pure-FTPd on an OES Server

To configure the Pure-FTPd server on OES, edit the /etc/pure-ftpd/pure-ftpd.conf file.

NOTE:It is very strongly recommended that you read through the entire /etc/pure-ftpd/pure-ftpd.conf file and be familiar with the available parameters and settings.

For more information, see the pure-ftpd man page.

7.6.6 Administering and Managing Pure-FTPd on an OES Server

Starting Pure-FTPd

Start the Pure-FTPd server using the rcpure-ftpd command.

Initializing Multiple Instances

Pure-FTPd is loaded by using a configuration file. Multiple instances of Pure-FTPd can be loaded using different configuration files.

By default, an instance of Pure-FTPd using /etc/pure-ftpd/pure-ftpd.conf file is loaded at the boot time. For loading multiple instances, new configuration files need to be created.

To load a new instance of Pure-FTPd:

  1. Create a new configuration file for each instance.

    For example: Copy /etc/pure-ftpd/pure-ftpd.conf to /etc/opt/novell/pure-ftpd1.conf.

  2. Modify the following settings in the configuration file to avoid IP address or port conflicts between the instances:

    • PIDFile: Points to the full path of the PID file created by the pure-ftpd instance. PID file is used for unloading a particular instance of pure-ftpd. Hence, ensure that the PID File path is unique for every instance.

      For example: /var/run/pure-ftp1.pid, /var/run/pure-ftp2.pid.

    • Bind: By default, pure-ftpd binds to all the IP addresses on the system and listens to requests over port 21. Modify the settings of the bind such that all the pure-ftpd instances bind to different IP addresses or port combinations.

      also, modify the settings in the /etc/pure-ftpd/pure-ftpd.conf to avoid any IP address or port conflict from the second instance.

      For example: If a system has two interfaces with two IP addresses 10.1.1.1 and 10.1.1.2, then the bind setting for two pure-ftpd instances can be Bind 10.1.1.1,21 and Bind 10.1.1.2,21.

  3. Load the new instance using /usr/sbin/pure-config.pl <Full path of the config file>

    For example: /usr/sbin/pure-config.pl /etc/opt/novell/pureftpd-confs/pure-ftpd1.conf loads an instance using the config file /etc/opt/novell/pureftpd-confs/pure-ftpd1.conf.

Verifying the Load of a New Instance

Use the following methods to verify that the new instance of pure-ftpd is successfully loaded:

  • The ps –eaf | grep pure-ftpd command lists all the instances of pure-ftpd loaded on the system.

  • The PID file as specified using the PIDFile entry in the configuration file has been created.

  • An FTP connection from the client to the server over the IP address being used by the pure-ftpd instance can be created.

Unloading Specific Instances

A new script, pure-ftp-stop.pl, is added to unload an instance of pure-ftpd and all its child processes. The full path of the configuration file used to load the instance of pure-ftpd must be passed to the pure-ftp-stop.pl script.

For example: /usr/sbin/pure-ftpd-stop.pl /etc/opt/novell/pureftpd-confs/pure-ftpd1.conf unloads the instance of pure-ftpd that was loaded using /etc/opt/novell/pureftpd-confs/pure-ftp1.conf.

The PID file of the pure-ftpd instance is also used for unloading the pure-ftpd instance.

Verifying the Unload of a New Instance

  • The PID file specified using the PIDFile entry in the configuration file has been deleted.

  • The number of instances displayed by ps –eaf | grep pure-ftpd is reduced.

  • An FTP connection request to the server errors out.

Pure-FTPd Remote Server Navigation

After logging in to the AD tree, users can access files and directories on a remote Linux server whether or not the server is running Linux FTP Server software. The remote server can be another Linux OES server.

This section describes how to configure and use the Remote Server Navigation feature.

The CIFS protocol lets you transfer files and navigate to and from remote OES servers.

To navigate to remote servers, use the following command:

cd //remote server name/share/directory pathname

File operations such as get, put, and delete can be used on the remote server, even without changing the directory path to that server.

For example:

get //remote_server_name/share/directory path/filename

The double slash (//) indicates that the user wants to access a remote server. After the double slash, the first entry must be the name of the remote server. The remote server name should be full DNS server name.

Configuring OES FTP

Configuration file: /etc/pure-ftpd/pure-ftpd.conf

The configuration parameters for remote server navigation are as follows:

Entry

Value

Function

remote_server

yes

Enables remote server navigation for the Pure-FTPd server.

The following configuration parameters needs to be set for remote server navigation:

Entry

Value

Reason Why

ChrootEveryone

no

Option yes restricts users to login only to his home directory and cannot navigate to other directories including remote OES servers.

AnonymousOnly

no

Option yes allows only anonymous login.

NoRename

no

Option yes restricts users to rename the file.

Path Formats

Table 7-3 Linux FTP Server path formats

Task

Command Format

Specifying the volume and directory path name

//server_name/share_name/directory_path

Navigating to different volumes

cd //server_name/share_name

Switching back to the home directory

cd ~

Switching to the root of the server

/root

NOTE:

  • The Linux FTP Server does not support wildcards at the root of the server.

  • When chroot capability is enabled, AD users are allowed to login with chrooted.

7.6.7 SMB Access for AD Users

By default, AD users access files through SMB protocol. Beginning with OES 2018 SP1, they can also access files through SMB2 protocol. To enable this, add the entry client max protocol = SMB2 under the 'global' heading in /etc/samba/smb.conf on the FTP server.

[global]
client max protocol = SMB2

Enabling SMB2 access for AD users provides them the capability to access DFS junctions.

7.6.8 Limitations

Co-existence Issue in Default Home Directory for Cluster Volumes: If Default Home Directory is used and the physical and cluster pool names is greater than 15 characters, then the NCP and CIFS server names will be different. Therefore, FTP login is impacted for both Remote Home Directory and Default Home Directory.

If eDirectory and Active Directory users co-existence is needed, run two instances of FTP server. One instance for eDirectory users with NCP (Virtual) server name and another instance for Active Directory users with CIFS (netbios) server name. For more information on initializing multiple instances, see Initializing Multiple Instances.