NetWare FTP anonymous login failures after update by Support Pack, eDir, NMAS, or Security Services

  • 7003549
  • 15-Jun-2009
  • 26-Apr-2012

Environment

Novell NetWare 6.5 Support Pack 6
Novell NetWare 6.5 Support Pack 7
Novell NetWare 6.5 Support Pack 8

Situation

After updating a NetWare 6.5 Server with an eDirectory update (such as 8.8.x), a Support Pack, or an NMAS or Security Services update, the anonymous user can no longer login through NetWare FTP.

Resolution

This is typically because Universal Password Policies are in use.  In NetWare 6.5 SP5 and below, the libraries FTP used for logging users in made use of older legacy methods to authenticate to eDirectory.  In newer updates, those underlying libraries now have the ability to send the logins through NMAS.  Therefore, new behaviors and restrictions can apply, for example, Universal Passwords and their Policies.
 
Usage of Universal Passwords or their Policies appear to be giving problems to the FTP anonymous user, which is a normal eDirectory user object, except that it has no password assigned.  The lack of the password may conflict with some aspects of Universal Passwords or their policies.
 
The recommended sequence to make sure anonymous user objects are protected from these policies is as follows.
 
1.  Identify the context which holds the anonymous user for the particular FTP server in question.  FTP choses it's context for the anonymous user in the following manner:
   A.  If sys:/etc/ftpserv.cfg has DEFAULT_FTP_CONTEXT specified, that context will be used.
   B.  If 'A' is not set, then if the NetWare server has bindery context(s) set, the first bindery context will be used.  Use the console command "CONFIG" (not "LOAD CONFIG) to see the bindery context in effect.
   C.  If 'A' and 'B' are not set, then the context of the regular Server Object will be used.
 
2.  Disassociate (unassign) the Universal Password Policy in effect for the container identified in step #1.
 
3.  Delete the anonymous user from the container specified in step #1.
 
4.  Unload NWFTPD.
 
5.  Load NWFTPD -A
Follow the prompts to login as the admin.  This will create a new anonymous user, set the anonymous home directory, etc.  The new anonymous user should appear in the same context where the previous one what deleted.
 
6.  Create a new Universal Password Policy where "Enable Universal Password" is set to FALSE.  Assign this policy to the anonymous user object created in step #5.
 
7.  Reassign the Universal Password policy to the container, which was unassigned in step #2.  The existence of the newer policy assigned directly to the anonymous user will prevent the container level policy from taking effect on that user.
 
8.  LOAD NWFTPD as you normally would.

Additional Information

For other FTP login issues that can come up once a NetWare FTP server receives these NMAS related updates, go to https://support.novell.com/search/kb_index.htm and search for KB 3845330.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.