Solved

FTP server on Windows 2003

Posted on 2004-08-19
27
77,096 Views
Last Modified: 2012-05-05
Hi,

Now I have a Windows 2003 Enterpise Edition and I'd like to have FTP server.  My server is stand alone server and don't have AD. I create 2 user for connect to FTP server. Can I set home directory for each user when they connect to the FTP server?

I already test by create a new FTP site that isolates users but when I try to connect to the server I found this error :

530 User test1 cannot log in, home directory inaccessible.

Anyone have any idea?

Regards,
Kongsit
0
Comment
Question by:Kc_cK
  • 8
  • 5
  • 3
  • +9
27 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 11846990
make sure that the user has log on locally rights.

cheers,  Mike.
0
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 300 total points
ID: 11849288
Make sure you create the FTP site using Non-AD User Isolation.

I'm going to set up a theoretical structure to try and illustrate what needs to be done.

c:\
|
|---Windows
|
|---Inetpub
|       |
|       |---wwwroot
|       |
|       |---ftproot
|       |       |
|       |       |---localusers
|       |       |      |
|       |       |      |---test1
|       |       |      |
|       |       |      |---test2
|       |       |      |
+      +       +      +

FTP Site Structure:

Root
|
|---test1 (virtual directory pointing to c:\inetpub\ftproot\localusers\test1)
|
|---test2 (virtual directory pointing to c:\inetpub\ftproot\localusers\test2)
|
+

Either disable anonymous logon or create a folder in localusers called public and make a vdir called anonymous and point it to the public folder.

Users with accounts on the machine may log in using the userid and password.
(test1 and test2)

When they log in their home directory will be set to localusers/username.

Users will need 'Log on Locally' rights in order to authenticate.
Users will need at least read rights on their home directory folders.

Does this help?

Dave Dietz
0
 

Author Comment

by:Kc_cK
ID: 11863174
I'm sure I already add user in logon locally.

For Dave Dietz : I try your solution. Now the user the FTP to the server already login their home directory like the test1 in your solution but user test1 can up to root and browse in to folder test2. I'm not sure why he can.  In folder test2 user test1 don't have any permission in it.  I don't understand.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 11866855
Did you create the FTP site using  Non-AD User Isolation?

If not this behavior is expected (though not preferred).  You will need to select user isolation when creating the site then set up the directory structure as shown above.

Dave Dietz
0
 

Author Comment

by:Kc_cK
ID: 11867057
I tried to setup FTP by used Isolation Users and setup the directiory structure as shown above but when I connect to the server.  It's always showed this error :

530 User test1 cannot log in, home directory inaccessible.
Login failed.

It's the same structure that I setup by Non Isolation Users but Non Isolation Users is work.

Kongsit
0
 

Expert Comment

by:thievesguild
ID: 12262661
Hey Dave.  Good answer, clearer than the IIS doc.  

What do you do if you want both user A and user B to access the same directory under local users.  Running Non-AD User Isolation, I can't figure out how to do it.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12262939
When using Non-AD User Isolation you can't have different users sharing a home folder.

(User Isolation isolates users....)

The only real way to do this would be to set a virtual directory under each persons' home directory that points to a common location.  Once they log in they could traverse the virtual directory to the common location to share files with others.

Dave Dietz
0
 

Expert Comment

by:thievesguild
ID: 12277599
Thanks!   How do you set up a virtual directory?  Do you mean in the FTP site?
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12278142
Yes.  Right click on the user's directory under the FTP site in the IIS Admin console and select New... then Virtual Directory....

Give the virtual directory a name and then point the location to your common file area.

Once the user logs in they can do a CD to the virtuyal directory name and they will then be able to access the common file area.

Dave Dietz
0
 

Expert Comment

by:thievesguild
ID: 12278562
Thanks, Dave.  I guess you'd need to use folder security on that common file area, as you're circumventing the protection that Server 2003 provides with user isolation.  I'm beginning to wonder if I should just set up a separate server for this kinda thing.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12279451
Correct - you would need to use NTFS permissions to secure any files in the common area.

As far as a seperate server - what *exactly* are you trying to do?  Likely it can be handled with the single server in some way.....  :-)

Dave Dietz
0
 

Expert Comment

by:thievesguild
ID: 12292176
Hey Dave.  Thanks for sticking with this.

I have two customers who would like to have a FTP site that allows two user accounts.  They would use one account to maintain their web site perhaps, or put up documents.  The second user would simply put up or take down documents.  You can imagine a CAD designer who has large documents that he needs to forward to his clients.  He wants one user account for himself, and another account for his customers.

This was no problem on W2K Server.  I really like the user isolation in place on my 2003 server but also don't want to turn down any business.

What do you think?  Thanks expert.
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12294375
What I would do is set up accounts for each user and set up non-ad user isolation.  

In each user acount I would create virtual directories pointing to the areas they need access.
For example:
Admins - vdir to the root of the website
Contributors - vdir to the directory where they need to upload their CAD files (or whatever)
Others - nothing (they can access their files and that's it)

I would also create a local group for Admins and another for Contributors.
Add your users to these groups and use the groups to assign NTFS permissions on the content areas.
For the Contributor areas I would add NTFS permissions of Contributor: (Traverse Folder/Execute File, List Folder/Read Data, Create Files/Write Data, Read Permissions) and Creator Owner: Full Control (you could also add Admins: Full Control). This would allow contributors to upload files and also delete/change their own files without being able to change anyone elses.

Using the groups make management easier and allows you to use logical grouping of what function the accounts are used for.

Dave Dietz
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Expert Comment

by:jkean
ID: 12711497
I've followed the instructions to the letter, and still am receiving the 530 home directory inaccessible"

I have Win Server 2003, IIS6.  I setup a fresh, brand new FTP site.  The directory I am using is c:\www, the same directory I am using to host multiple websites successfully with IIS.

I can change the actual folder names to "localusers" and all that - but I assume that Windows doesn't care what names you use, provided that the viortual directories you create are of the user's name.

So, I have c:\www\laura - I have created a fresh user "laura" however in WSrv2003 there is no "Logon Locally" option in the user creation or properties dialogs.

I had this working a while ago, but I somehow screwed it up as with everything else and now it won't act the same way.  I gave full permissions to user "laura" on that directory - IUSR_computername has read/execute access already due to the website.

It makes no sense that it wouldn't work - I am stumped.  Any help is appreciated.
0
 

Expert Comment

by:jkean
ID: 12711574
OK found this in the Local Security policy - Users was already in this allow to log on locally permission group.  Therefore things were set properly in the first place.  It makes absolutely NO SENSE that this shouldn't work just as advertised.
0
 

Expert Comment

by:jkean
ID: 12711658
I tried again, starting completely from sratch.

c:\localusers (root directory)

c:\localusers\laura (user dir)

FTP Site "Test" -> removed anonymous access

Virtual Dir "laura" -> c:\localusers\laura

All set, go to FTP program - login as "laura" Error 530 home directory inaccessible.

I am now pissed that this works for everyone else but not for me......
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12712497
Try this:

c:\
|
|---Windows
|
|---Inetpub
|       |
|       |---wwwroot
|       |
|       |---ftproot
|       |       |
|       |       |---localusers
|       |       |      |
|       |       |      |---laura
|       |       |      |
|       |       |      |---otherLocalAccount
|       |       |      |
+      +       +      +

Make sure the FTP site points to FTPRoot.

May not even need to create a virtual directory (testing seems to show it isn't necessary).

Ensure your local users have log on locally permissions, bypass traversal checking and have at least read access on their home folder.

This should work.  :-)

Dave Dietz

0
 

Expert Comment

by:crashnet
ID: 13065824
NOTE that, according to three MS docs on the issue,  the folder name is supposed to be localuser not localuserS:

http://tinyurl.com/4ubmm
http://tinyurl.com/6mneo
http://tinyurl.com/6fdnw

EB
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 13066222
Those documents do indeed say 'localuser' and in checking my actual working configuratio I also have LocalUser.

I tried testing with 'LocalUsers' to see if the servie is smart enough to compensate and found that it does need to be 'LocalUser'.

Thank you for noticing the typo.  :-)

Dave Dietz
0
 
LVL 3

Expert Comment

by:piratepatrol
ID: 13098132
Hi Dave,

I just want to thank you for this post.  I had the problem as jkean, so I search Expert Exchanged for help.  I got to this post, and I have to say that your knowledge brought me out of the gutter.  Thank you so much.  I wish I can throw some points your way, but this post is already closed.

You rule, brother.


Jazon from Jacksonville, FL
0
 

Expert Comment

by:troyegan
ID: 13535050
Crashnet/Dave...Thanks!  

Using Localuser\username works, no need to create a virtual directory, which is good because I have a couple of power users who add acccounts using telnet and net user and I didn't want to give them actually logging into the server.

0
 

Expert Comment

by:ashugarg00
ID: 13829400
Well - I still seem to be stuck - same problem as jkean...
0
 

Expert Comment

by:albanc
ID: 13900346
In order to allow anonymous access in isolated ftp site, there must be a directory named : ftproot/LocalUser/Public

DO NOT name this directory "anonymous" or anything else.
A virtual directory named "anonymous" and pointing to the folder named "Public" is not required for it to work.
0
 
LVL 6

Expert Comment

by:SHIELD1
ID: 14718539
I have just spent 15 minutes setting up a new FTP site, and it is necessary to follow these steps:

if you use AD isolation then you need to specify the domain name under the "directory loaction" e.g.

ftp site name :
                    ftp (descriptive name for site)
                       :root folder
                                       "domain name"

with permissions to : ftp user name read/list contents (optional write)
                             : network read/list
                             :iusr_(domain name) read/list
                             :interactive/iis_wpg/anonymous all with read/list

be sure to create the ftp user in active directory, I'm not entirely sure if log on locally rights is necessary as this is a security risk and I have tried it both with and without those permissions and it still works.  There is no browsing allowed to higher folders only their local folders.

folders under the ftp root\domain name\ should correspond to the user name!

Then restart IIS and try again.  I have proven this on two different servers now.

Thanks
0
 

Expert Comment

by:thievesguild
ID: 14720740
Great!  What if you're not using Active Directory?
0
 
LVL 6

Expert Comment

by:SHIELD1
ID: 14750463
Well luckily IIS is not inseparable from Active Directory and vice versa, you can still set-up isolation mode or simply ensure that one user does not have access rights to any other folder than his own.

You can still create your users in Computer Management don't forget, then the isolation kicks in pretty much the same way as AD,

now I haven't tried it just yet on non-server, but if my notes from above hold true then the home directiory access issue can be addressed by user the server name instead of the domain name:

\server name\FTP\username :)

thanks for the feedback!
0
 

Expert Comment

by:keebie
ID: 15144073
I've just successfully done this (a min ago)

1. create the user 'janedoe' (in Computer Management \ Users)
2. create the FTP site
3. use isolation users (non AD mode)
4. under Security Accounts tab, Allow Anonymous Users is checked, Only Allow Anonymous is unchecked, and then browse for the user i created in COmputer Management\ User
5. go to C:\Inetpub\FTP root\ - create a new folder 'LocalUser'
6. go inside LocalUser, create a new folder 'janedoe'.

I've tried for almost an hour with the different combinations and re-reading what is mentioned in the IIS help file. Able to log in finally : )
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Logparser is the smartest tool I have ever used in parsing IIS log files and there are many interesting things I wanted to share with everyone one of the  real-world  scenario from my current project. Let's get started with  scenario - How do w…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now