6 Replies Latest reply: Jul 13, 2011 8:10 AM by MrHoffman
chris.wilcoxson Level 1 Level 1 (0 points)
I have a Mac Mini running 10.6.7 Server. One of the services running is FTP, which recently stopped allowing users to connect. We haven't used the FTP in a couple of months, but it worked perfectly back in February and I haven't made any changes to the configuration since I set it up back then.

Currently, when someone tries to connect, it immediately rejects their credentials (username and password) and states: "530 error: username or password not correct". I've tried connecting with several accounts that I know have access to the FTP server and all get the 530 error. I tried restarting the service, removing and reassigning all the users and re-propagating permissions, no go. I even set up a new account, gave it access, tried connecting, and still get the 530 error.

Network info: all ports are open. This is a server on a university network with a public-facing IP. Nothing about the network or server config has changed since February.

The only thing I can think of that changed between today and February was a power outage from a storm a couple of weeks ago. I did a disk repair and all is otherwise well. AFP, SMB, DNS, NetBoot, and Filemaker Server all work just fine. It's only the FTP service that doesn't allow connections. Any ideas aside from rebuilding the server from scratch?

Mac Mini, Mac OS X (10.6.7)
  • 1. Re: FTP - 530 error
    chris.wilcoxson Level 1 Level 1 (0 points)
    Found some more info in my error logs. These lines appears in system.log every time I try accessing the FTP server via Terminal:

    Apr 14 09:42:03 cembserver ftpd[62188]: ACCESS DENIED (not in any class) TO 172.16.0.135 [172.16.0.135]
    Apr 14 09:42:03 cembserver ftpd[62188]: FTP LOGIN REFUSED (access denied) FROM 172.16.0.135 [172.16.0.135], meleftp

    "meleftp" is the username that's trying to connect to the FTP server. That same sequence appears when I try any other username (that should have access to the FTP server).

    When I try accessing FTP via CyberDuck (the first time):

    Apr 14 09:07:52 cembserver ftpd[60099]: FTP LOGIN REFUSED (bad shell or username in /Library/FTPServer/Configuration/ftpusers) FROM 65.82.99.253 [65.82.99.253], meleftp
    Apr 14 09:07:52 cembserver emond[86]: Host at 65.82.99.253 will be blocked for at least 15.00 minutes
    Apr 14 09:07:52 cembserver afctl[60112]: Firewall not running or managed by another entity, rule not added

    Later, I tried accessing via Cyberduck and I get this:

    Apr 14 09:47:20 cembserver ftpd[62458]: ACCESS DENIED (not in any class) TO 65.82.99.253 [65.82.99.253]
    Apr 14 09:47:20 cembserver ftpd[62458]: FTP LOGIN REFUSED (access denied) FROM 65.82.99.253 [65.82.99.253], meleftp
    Apr 14 09:47:20 cembserver emond[86]: Host at 65.82.99.253 will be blocked for at least 15.00 minutes
    Apr 14 09:47:20 cembserver afctl[62498]: Firewall not running or managed by another entity, rule not added


    What does the "FTP LOGIN REFUSED (bad shell or username in /Library/FTPServer/Configuration/ftpusers)" section mean? Do I have a corrupted file or something?
  • 2. Re: FTP - 530 error
    MrHoffman Level 6 Level 6 (12,455 points)
    Launch Terminal.app and issue the command

    cat /Library/FTPServer/Configuration/ftpusers


    and see what's listed in there, as a start. It should be a text list of users cleared for ftp use.

    Also check the FTP server configuration, as corruptions have also been reported in this file:

    cat /Library/FTPServer/Configuration/ftpaccess


    That can be reset from the default version of the file located in that same directory.

    Make sure the users have a login shell preference set in their login preferences via System Preferences or (more commonly) via Workgroup Manager.

    And for completeness, make sure your DNS isn't messed up. You should get a "There is nothing to change" diagnostic from this command:

    sudo changeip -checkhostname


    Also try sftp. That does no-password logins, and it's a whole lot easier to deal with around firewalls, and it doesn't spray cleartext users and passwords around on what is undoubtedly an insecure network.

    [Here is a previous thread|http://discussions.info.apple.com/message.jspa?messageID=6413664], and there are links there to another thread or two.
  • 3. Re: FTP - 530 error
    chris.wilcoxson Level 1 Level 1 (0 points)
    Thanks MrHoffman.

    Checking FTP Users yields:
    root
    bin
    boot
    daemon
    digital
    field
    gateway
    guest
    nobody
    operator
    ris
    sccs
    sys
    uucp

    I assume this is the default list? I tried just typing the name of a valid user at the end of the list, but it didn't allow that user to login.


    Checking FTP Access yields:

    ?
    defrootdir /Library/FTPServer/FTPRoot
    upload /Library/FTPServer/FTPRoot /uploads yes ftp daemon 0666 nodirs
    upload /Library/FTPServer/FTPRoot /uploads/mkdirs yes ftp daemon 0666 dirs 0777
    anonymous-root /Library/FTPServer/FTPRoot
    limit anonusers 50 Any /Library/FTPServer/Messages/limit.txt
    limit realusers 3 Any /Library/FTPServer/Messages/limit.txt
    chroot_type homedir
    email
    auth_level standard


    Checking the hostname got:

    2011-04-14 10:42:52.723 serveradmin[65576:903] Exception in doCommand: * -[NSCFDictionary setObject:forKey:]: attempt to insert nil value (key: context)
    dirserv:error = "NILRESPONSEERR (* -[NSCFDictionary setObject:forKey:]: attempt to insert nil value (key: context))"


    When I try SFTP, I get I/O Error: connection failed. Connect timed out.

    The password workaround suggested here (http://discussions.apple.com/thread.jspa?messageID=6282950) doesn't work. When I get to step three, it won't allow me to do that, even though I'm authenticated as the server's admin.
  • 4. Re: FTP - 530 error
    chris.wilcoxson Level 1 Level 1 (0 points)
    This link did work for me though:

    http://blog.infusiontechsolutions.com/users-are-unable-to-connect-to-the-ftp-ser vice-on-mac-os-x-server/.

    Resetting the ftpaccess file back to defaults fixed it and I'm not able to log in to my FTP server. Thanks for pointing me in the right direction and helping MrHoffman!

    Message was edited by: chris.wilcoxson
  • 5. Re: FTP - 530 error
    Beno 44 Level 1 Level 1 (15 points)

    thanks Chris, this link got me back up and running.

     

    However, the FTP revert to default setup only a few hours after fixing it.

     

    I then have to re-do the whole procedure again which is not a viable option.

     

    Anyone else having this issue?

  • 6. Re: FTP - 530 error
    MrHoffman Level 6 Level 6 (12,455 points)

    Please launch Terminal.app and issue the command:

     

    sudo changeip -checkhostname

     

    If what you showed with that stackdump was the result of issuing that command, then there looks to be a low-level system configuration error or a problem with DNS services.

     

    Mac OS X Server requires DNS on a private network and (based on the references to 172.16.0.135) you appear to be using the private "class B" block (as it used to be called).  You will want to configure local DNS services within this block for at least your Mac OS X Server box itself (and it's usually preferred to just configure it all and to run DNS services for the whole of your private network), while you will have problems if you attempt to use your ISP DNS servers as your primary source.

     

    Make sure you have IPv6 shut off for testing, as that can cause path issues.

     

    I don't recommend running Mac OS X Server as a router, and (based on some of what you've posted) that might well be the case here.  Mac boxes make for poor (slow, expensive, awkward, had to configure) IP network gateway/router boxes, and the usual sorts of system operations and configuration activities that occur on many servers can end up unexpectedly exposing ports to the Internet wilds.  (There are a number of folks that have posted issues they've encountered here in the forums, too.)

     

    The fix mentioned earlier was for 10.4 server boxes and a corruption of an ftp configuration file.  I don't know that that error applies to 10.6.  (Files can certainly get corrupted, but I'd not expect to see the network switch from working to not.  That form of misbehavior usually implies some sort of DNS translation or IP routing error.)