FTP - 530 error

Question

FTP - 530 error

I have a Mac Mini running 10.6.7 Server. One of the services running is FTP, which recently stopped allowing users to connect. We haven't used the FTP in a couple of months, but it worked perfectly back in February and I haven't made any changes to the configuration since I set it up back then.

Currently, when someone tries to connect, it immediately rejects their credentials (username and password) and states: "530 error: username or password not correct". I've tried connecting with several accounts that I know have access to the FTP server and all get the 530 error. I tried restarting the service, removing and reassigning all the users and re-propagating permissions, no go. I even set up a new account, gave it access, tried connecting, and still get the 530 error.

Network info: all ports are open. This is a server on a university network with a public-facing IP. Nothing about the network or server config has changed since February.

The only thing I can think of that changed between today and February was a power outage from a storm a couple of weeks ago. I did a disk repair and all is otherwise well. AFP, SMB, DNS, NetBoot, and Filemaker Server all work just fine. It's only the FTP service that doesn't allow connections. Any ideas aside from rebuilding the server from scratch?

Mac Mini, Mac OS X (10.6.7)

Posted on Apr 14, 2011 7:03 AM

Reply

Answer 1

Apr 14, 2011 7:50 AM in response to chris.wilcoxson

Found some more info in my error logs. These lines appears in system.log every time I try accessing the FTP server via Terminal:

Apr 14 09:42:03 cembserver ftpd[62188]: ACCESS DENIED (not in any class) TO 172.16.0.135 [172.16.0.135]
Apr 14 09:42:03 cembserver ftpd[62188]: FTP LOGIN REFUSED (access denied) FROM 172.16.0.135 [172.16.0.135], meleftp

"meleftp" is the username that's trying to connect to the FTP server. That same sequence appears when I try any other username (that should have access to the FTP server).

When I try accessing FTP via CyberDuck (the first time):

Apr 14 09:07:52 cembserver ftpd[60099]: FTP LOGIN REFUSED (bad shell or username in /Library/FTPServer/Configuration/ftpusers) FROM 65.82.99.253 [65.82.99.253], meleftp
Apr 14 09:07:52 cembserver emond[86]: Host at 65.82.99.253 will be blocked for at least 15.00 minutes
Apr 14 09:07:52 cembserver afctl[60112]: Firewall not running or managed by another entity, rule not added

Later, I tried accessing via Cyberduck and I get this:

Apr 14 09:47:20 cembserver ftpd[62458]: ACCESS DENIED (not in any class) TO 65.82.99.253 [65.82.99.253]
Apr 14 09:47:20 cembserver ftpd[62458]: FTP LOGIN REFUSED (access denied) FROM 65.82.99.253 [65.82.99.253], meleftp
Apr 14 09:47:20 cembserver emond[86]: Host at 65.82.99.253 will be blocked for at least 15.00 minutes
Apr 14 09:47:20 cembserver afctl[62498]: Firewall not running or managed by another entity, rule not added

What does the "FTP LOGIN REFUSED (bad shell or username in /Library/FTPServer/Configuration/ftpusers)" section mean? Do I have a corrupted file or something?

Reply

Answer 2

Apr 14, 2011 8:39 AM in response to chris.wilcoxson

Launch Terminal.app and issue the command

cat /Library/FTPServer/Configuration/ftpusers

and see what's listed in there, as a start. It should be a text list of users cleared for ftp use.

Also check the FTP server configuration, as corruptions have also been reported in this file:

cat /Library/FTPServer/Configuration/ftpaccess

That can be reset from the default version of the file located in that same directory.

Make sure the users have a login shell preference set in their login preferences via System Preferences or (more commonly) via Workgroup Manager.

And for completeness, make sure your DNS isn't messed up. You should get a "There is nothing to change" diagnostic from this command:

sudo changeip -checkhostname

Also try sftp. That does no-password logins, and it's a whole lot easier to deal with around firewalls, and it doesn't spray cleartext users and passwords around on what is undoubtedly an insecure network.

[Here is a previous thread|http://discussions.info.apple.com/message.jspa?messageID=6413664], and there are links there to another thread or two.

Reply

Answer 3

Apr 14, 2011 9:15 AM in response to MrHoffman

Thanks MrHoffman.

Checking FTP Users yields:
root
bin
boot
daemon
digital
field
gateway
guest
nobody
operator
ris
sccs
sys
uucp

I assume this is the default list? I tried just typing the name of a valid user at the end of the list, but it didn't allow that user to login.

Checking FTP Access yields:

?
defrootdir /Library/FTPServer/FTPRoot
upload /Library/FTPServer/FTPRoot /uploads yes ftp daemon 0666 nodirs
upload /Library/FTPServer/FTPRoot /uploads/mkdirs yes ftp daemon 0666 dirs 0777
anonymous-root /Library/FTPServer/FTPRoot
limit anonusers 50 Any /Library/FTPServer/Messages/limit.txt
limit realusers 3 Any /Library/FTPServer/Messages/limit.txt
chroot_type homedir
email
auth_level standard

Checking the hostname got:

2011-04-14 10:42:52.723 serveradmin[65576:903] Exception in doCommand: * -[NSCFDictionary setObject:forKey:]: attempt to insert nil value (key: context)
dirserv:error = "NIL RESPONSEERR ( * -[NSCFDictionary setObject:forKey:]: attempt to insert nil value (key: context))"

When I try SFTP, I get I/O Error: connection failed. Connect timed out.

The password workaround suggested here ( http://discussions.apple.com/thread.jspa?messageID=6282950) doesn't work. When I get to step three, it won't allow me to do that, even though I'm authenticated as the server's admin.

Reply

Answer 4

Apr 14, 2011 9:16 AM in response to MrHoffman

This link did work for me though:

http://blog.infusiontechsolutions.com/users-are-unable-to-connect-to-the-ftp-ser vice-on-mac-os-x-server/.

Resetting the ftpaccess file back to defaults fixed it and I'm not able to log in to my FTP server. Thanks for pointing me in the right direction and helping MrHoffman!

Message was edited by: chris.wilcoxson

Reply

Answer 5

Beno 44

Level 1

24 points

Jul 12, 2011 12:56 AM in response to chris.wilcoxson

thanks Chris, this link got me back up and running.

However, the FTP revert to default setup only a few hours after fixing it.

I then have to re-do the whole procedure again which is not a viable option.

Anyone else having this issue?

Reply

Answer 6

Jul 13, 2011 8:10 AM in response to Beno 44

Please launch Terminal.app and issue the command:

sudo changeip -checkhostname

If what you showed with that stackdump was the result of issuing that command, then there looks to be a low-level system configuration error or a problem with DNS services.

Mac OS X Server requires DNS on a private network and (based on the references to 172.16.0.135) you appear to be using the private "class B" block (as it used to be called). You will want to configure local DNS services within this block for at least your Mac OS X Server box itself (and it's usually preferred to just configure it all and to run DNS services for the whole of your private network), while you will have problems if you attempt to use your ISP DNS servers as your primary source.

Make sure you have IPv6 shut off for testing, as that can cause path issues.

I don't recommend running Mac OS X Server as a router, and (based on some of what you've posted) that might well be the case here. Mac boxes make for poor (slow, expensive, awkward, had to configure) IP network gateway/router boxes, and the usual sorts of system operations and configuration activities that occur on many servers can end up unexpectedly exposing ports to the Internet wilds. (There are a number of folks that have posted issues they've encountered here in the forums, too.)

The fix mentioned earlier was for 10.4 server boxes and a corruption of an ftp configuration file. I don't know that that error applies to 10.6. (Files can certainly get corrupted, but I'd not expect to see the network switch from working to not. That form of misbehavior usually implies some sort of DNS translation or IP routing error.)

Reply