Re: FTP problem with more than 2 users configured
- From: "Bernard" <qbernard@xxxxxxxxxxxxxxxxxxx>
- Date: Wed, 18 May 2005 09:42:50 +0800
Wow! do you mean this blog ?
http://msmvps.com/bernard/archive/2004/12/24/27276.aspx
ha! I totally forget about it. but your case is different. why one is able
to read, while one can't. why ??? For those able to login, do they belong
to any user group? Need to find out what rights are missing......
How? do you have any GPO or domain policy that restrict new users? password,
etc ? Can you use the newly created account (but can't access ftp) to do a
windows domain logon on any workstation? If you know which DC that IIS ftp
service try to validate in the AD. if you config logon audit again. any
differences for the account that able to login and those that can't login?
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Ynte Broekhuizen" <ynte@xxxxxxxx> wrote in message
news:118kss05haqqi24@xxxxxxxxxxxxxxxxxxxxx
>I finally got it to work again!
>
> I took a look at the security event log, as you suggested. This showed
> the exact same events for all users. There was no difference between the
> user that could log on to FTP and all the rest that could not. The log
> showed how the IIS process offered the credentials, and how the system
> verified them. From this point of view everything was ok.
>
> What also showed, though, was the 'special user' used by IIS to 'gain
> access to the AD'. As instructed by the setup wizard I gave this special
> user minimal rights. Meaning no rights at all :)
>
> Just to see what would happen, I added this special user to
> Administrators, restarted the FTP service and.. everything suddenly
> works!
>
> I tried to figure out exactly what part of being an Administrator is
> required for this. I removed the special user from Administrators again.
> Then, using policy editor, I went to Default DC Policy\Computer
> Configuration\Windows Settings\Security Settings\Local Policies\User
> Rights Assignment and put the special user on every right that already
> said Administrators. This, however, did NOT solve the problem. So it
> must be something else that is unique to being an Admin. I haven't been
> able to figure out what yet.
>
> I would like to know though. I don't like the idea of having this
> special user with admin rights, especially with the password stored in
> the metabase (thanks to Bernard's pages for info on this).
>
> What I still can't understand is how one user has always been able to
> log on to FTP while the special user was no admin. I would like more
> info on what this special user is used for by IIS.
>
> And any suggestions on narrowing down this issue to a certain Admin
> property are also welcome.
>
> --
> Ynte Broekhuizen
>
> In article <Ov83neqWFHA.1152@xxxxxxxxxxxxxxxxxxxx>, Bernard
> <qbernard@xxxxxxxxxxxxxxxxxxx> wrote:
>> Great analysis.... you can say that this is not permission related in
>> a way :)
>> On the otherhand, what we know from this test is that.. inetinfo is
>> not doing anything at all.... meaning the request somehow somewhere
>> 'block' IIS FTP from further processing the login request. but what
>> is it?
>>
>> I can' t think of any other process. as inetinfo is the host process
>> for IIS FTP. The next I would try is to enable logon auditing... to
>> see if security event log capture more useful data.
>>
>>
>> "Ynte Broekhuizen" <ynte@xxxxxxxx> wrote in message
>> news:118iavdnsjmpk9b@xxxxxxxxxxxxxxxxxxxxx
>>> Thanks for your suggestions Bernard.
>>>
>>> I did as you said. I created a copy of the user that can log in, and
>>> I also created a new user from scratch and set all
>>> attributes/groups/etc the same. I even gave them the same password.
>>> I also made sure their homedirs/permissions were similar to the
>>> first user. And lastly, I set their FTPRoot and FTPDir AD attribs to
>>> match these directories.
>>>
>>> Note: all users in my 'FTP Users' group have local log on and network
>>> access rights.
>>>
>>> The result: Neither of these 2 new users could log in. Both got 530
>>> homedir inaccessable.
>>>
>>> After this I ran Filemon and set it to filter on "inetinfo".
>>>
>>> Logging on with the working user gave something like this:
>>>
>>> 12:55:34 AM inetinfo.exe:3816 OPEN C:\ftp\homes\DOMAIN1\user1\
>>> SUCCESS Options: Open Access: All
>>> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION
>>> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileFsVolumeInformation
>>> 12:55:34 AM inetinfo.exe:3816 QUERY INFORMATION
>>> E:\ftp\homes\DOMAIN1\user1\ BUFFER OVERFLOW FileAllInformation
>>> 12:55:35 AM inetinfo.exe:3816 CLOSE C:\ftp\homes\DOMAIN1\user1\
>>> SUCCESS
>>>
>>> Logging on with the two new users gave... nothing! Not a single event
>>> showed in Filemon.
>>>
>>> This indicated to me that the problem lies not in the file/folder
>>> permissions. To double check this I created a folder and set it to
>>> deny access to user1 (the one that can log in).
>>> I logged on thru ftp and tried to access this folder. Filemon gave me
>>> (as it should):
>>>
>>> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED
>>> DOMAIN1\test1
>>> 12:59:39 AM inetinfo.exe:3816 OPEN C:\ftp\testdir ACCESS DENIED
>>> DOMAIN1\test1
>>>
>>> So, I think you'll agree that file permissions are not the issue
>>> here.
>>>
>>> Any thoughts?
>>>
>>> --
>>> Ynte Broekhuizen
>>>
>>> In article <uLxzFLfWFHA.2796@xxxxxxxxxxxxxxxxxxxx>, Bernard
>>> <qbernard@xxxxxxxxxxxxxxxxxxx> wrote:
>>>> If you got 530, can't login. then it might be due to logon policy or
>>>> account disabled, locked up, etc.
>>>> For home directory inaccessible, mostly is due to permissions...
>>>>
>>>> if you 'clone' that user to another account, you able to login?
>>>> how about recreate the account ?
>>>>
>>>> have you try filemon (sysinternals.com) ?
>>>>
>>>>
>>>> "Ynte Broekhuizen" <ynte@xxxxxxxx> wrote in message
>>>> news:118ff8lhrl3770b@xxxxxxxxxxxxxxxxxxxxx
>>>>> I'm having the exact same problem as the original poster. I'm using
>>>>> IIS 6 on Windows Server 2003.
>>>>>
>>>>> One user can log on. All the others get "530 User test1 cannot log
>>>>> in, home directory inaccessible."
>>>>>
>>>>> All permissions and AD attributes FTProot and FTPdir are set
>>>>> correctly as far as I can see. A second server in regular (non-AD)
>>>>> user isolation mode, mapped to the same physical root dir works
>>>>> without any problem; all users can log on to their respective
>>>>> homedirs.
>>>>>
>>>>> And there's another funny thing... in the past user isolation using
>>>>> Active Directory HAS worked perfectly for all users. The problem
>>>>> began after the installation of Exchange Server 2003.
>>>>>
>>>>> Exchange Server modifies the group policy to restrict local log on
>>>>> and network access rights. I suspect this is somehow the cause,
>>>>> altough it doesn't explain why one user can still log on. This user
>>>>> is not in Administrators, nor any other extended rights group.
>>>>>
>>>>> Also, I have manually enabled 'local log on' and 'access this
>>>>> computer from the network' for other users with the Group Policy
>>>>> Editor. This didn't change anything. These users still get the
>>>>> mentioned 530 error.
>>>>>
>>>>> Did anybody find the solution to this very strange problem?
>>>>>
>>>>> I'm ready to give up and settle for regular user isolation...
>>>>>
>>>>> --
>>>>> Ynte Broekhuizen
>>>>>
>>>>> On Bernard wrote:
>>>>>> Thanks for the update - if you have the outcome, pls let me know.
>>>>>>
>>>>>> Cheers.
>>>>>>
>>>>>>
>>>>>> "Richard L Rosenheim" <richard@xxxxxxx> wrote in message
>>>>>> news:ewsopawNFHA.2580@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> Oh, it definitely doesn't make sense.
>>>>>>>
>>>>>>> I have tried creating several different users, all with the same
>>>>>>> results. I'm also in contact with Microsoft attempting to resolve
>>>>>>> this issue. I was
>>>>>>> posting in this newsgroup in case someone else had encountered
>>>>>>> the same problem.
>>>>>>>
>>>>>>> Thanks for taking the time to reply,
>>>>>>>
>>>>>>> Richard Rosenheim
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> "Bernard" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>>> news:%23AadjrmNFHA.3560@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>> Well, it just doesn't make sense right ? so for now, I will try
>>>>>>>> to create a new user and see if the same thing happen. And
>>>>>>>> bottom line is I think it's
>>>>>>>> related NTFS permissions and filemon should show you more detail
>>>>>>>> as of why....
>>>>>>>>
>>>>>>>> --
>>>>>>>> Regards,
>>>>>>>> Bernard Cheah
>>>>>>>> http://www.tryiis.com/
>>>>>>>> http://support.microsoft.com/
>>>>>>>> http://www.msmvps.com/bernard/
>>>>>>>>
>>>>>>>>
>>>>>>>> "Richard L Rosenheim" <richard@xxxxxxx> wrote in message
>>>>>>>> news:%23Cd41ZcNFHA.2252@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>> I ran filemon on the ftp server (SBS 2003). The home folder is
>>>>>>>>> on the local
>>>>>>>>> machine. There's is nothing special about the user. That's
>>>>>>>>> what has made this problem so baffling. The user was created
>>>>>>>>> the same was as the first two users.
>>>>>>>>>
>>>>>>>>> Richard Rosenheim
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> "Bernard" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>>>>> news:eMO5KpZNFHA.2252@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>> are you running filemon on the ftp server ?
>>>>>>>>>> what so special about this user ? is the home folder on local
>>>>>>>>>> machine or remote ?
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Regards,
>>>>>>>>>> Bernard Cheah
>>>>>>>>>> http://www.tryiis.com/
>>>>>>>>>> http://support.microsoft.com/
>>>>>>>>>> http://www.msmvps.com/bernard/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> "Richard L Rosenheim" <richard@xxxxxxx> wrote in message
>>>>>>>>>> news:e7THk7YNFHA.3668@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>> We tried that. It didn't show anything helpful.
>>>>>>>>>>>
>>>>>>>>>>> Richard Rosenheim
>>>>>>>>>>>
>>>>>>>>>>> "Bernard" <qbernard@xxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>>>>>>> news:%23bbECn0MFHA.580@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>> I would try filemon (sysinternals.com) and trace 'where' IIS
>>>>>>>>>>>> ftp is sending the user. It will also show if there's
>>>>>>>>>>>> permission related error msgs.
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Regards,
>>>>>>>>>>>> Bernard Cheah
>>>>>>>>>>>> http://www.tryiis.com/
>>>>>>>>>>>> http://support.microsoft.com/
>>>>>>>>>>>> http://www.msmvps.com/bernard/
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> "Richard L Rosenheim" <richard@xxxxxxx> wrote in message
>>>>>>>>>>>> news:%23d3hVnpMFHA.4028@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>>> I'm trying to configure the FTP portion of a SBS 2003
>>>>>>>>>>>>> install.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm using AD User Isolation. The first two users that I
>>>>>>>>>>>>> create and configure (using the IISFTP /SetADProp script)
>>>>>>>>>>>>> works fine. But, I
>>>>>>>>>>>>> can't
>>>>>>>>>>>>> get
>>>>>>>>>>>>> more than two users to work. Any additional users that I
>>>>>>>>>>>>> create, I get a
>>>>>>>>>>>>> "503 ... home directory inaccessible" error message when
>>>>>>>>>>>>> they attempt
>>>>>>>>>>>>> to
>>>>>>>>>>>>> establish a FTP connection. The first two users still
>>>>>>>>>>>>> works fine.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have even done a complete reinstall in case something got
>>>>>>>>>>>>> screwed up the
>>>>>>>>>>>>> first time. I still getting the same issues.
>>>>>>>>>>>>>
>>>>>>>>>>>>> All that I have installed is SBS 2003 itself, the FTP
>>>>>>>>>>>>> add-on to IIS, and
>>>>>>>>>>>>> the
>>>>>>>>>>>>> patches/updates from WindowsUpdate. No third-party
>>>>>>>>>>>>> software has been
>>>>>>>>>>>>> installed.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Has anyone else experienced this problem? Anyone know of
>>>>>>>>>>>>> any solutions,
>>>>>>>>>>>>> workarounds?
>>>>>>>>>>>>>
>>>>>>>>>>>>> TIA,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Richard Rosenheim
>
.
- Follow-Ups:
- Re: FTP problem with more than 2 users configured
- From: Ynte Broekhuizen
- Re: FTP problem with more than 2 users configured
- References:
- Re: FTP problem with more than 2 users configured
- From: Ynte Broekhuizen
- Re: FTP problem with more than 2 users configured
- From: Bernard
- Re: FTP problem with more than 2 users configured
- From: Ynte Broekhuizen
- Re: FTP problem with more than 2 users configured
- From: Bernard
- Re: FTP problem with more than 2 users configured
- From: Ynte Broekhuizen
- Re: FTP problem with more than 2 users configured
- Prev by Date: Active Directory Isolate FTP
- Next by Date: can't dele remote dir on win2000 iis ftp server
- Previous by thread: Re: FTP problem with more than 2 users configured
- Next by thread: Re: FTP problem with more than 2 users configured
- Index(es):
Relevant Pages
|
