FTP connections not working after 'FTP Migration" from NetWare to OES

After using the OES FTP Migration tool to move configuration settings from a NetWare FTP server to an OES Novell FTP server, FTP clients could fail in a variety of ways.

 

The failures could appear to come in a variety of ways, including:

 

- Login appears to fail with, client showing a 421 error.

- Login succeeds but directory lists fail, timeout, or hang.

- Login succeeds but file transfers fail, timeout, or hang.

- With some GUI FTP clients or web browsers (which typically want to get a directory list immediately after authenication), when the dir list fails it may give the impression that the initial connection or authentication failed, even if that wasn't really the case.

Among other tasks the FTP migration process performs, it will migrate 2 settings related to Passive Data Connections from the old NetWare sys:\etc\ftpserv.cfg file into the linux /etc/pure-ftpd/pure-ftpd.conf file.

 

 

1. NetWare FTP's setting:

 

will get translated to pure-ftpd.conf:

 

Problems that can exist after this migration: 

 

a.  If the new OES system is not taking the same IP address or is not sitting behind the same NAT configuration as the original NetWare system, then this setting could be incorrect, thereby causing the problem.  This setting should reflect the public IP address which substitutes for the server's private IP.  If the server already uses a public address (and no NAT) then this setting is not necessary and can be remarked out.

 

b.  Furthermore, even if the new OES system *is* taking the exact place of the old NetWare system, a problem can develop.  When NetWare is set to "FORCE_PASSIVE_ADDR=0.0.0.0",  this zero-address has special meaning, of "whatever interface the FTP session is already using."  (And this would also be identical to not setting this parameter at all.)

 

However, on pure-ftpd, setting "ForcePassiveIP 0.0.0.0"  is not taken to have a special meaning, and literally causes the FTP server to start telling clients to connect to 0.0.0.0 for their passive data connections.  This will fail.

 

The minimum solution is to remark out the "ForcePassiveIP 0.0.0.0"  in /etc/pure-ftpd/pure-ftpd.conf and restart by executing "rcpure-ftpd restart".  However, it is further recommended that the 0.0.0.0 be changed back to some more standard example, such as 192.168.0.1 , so future administrators who may view the configuration file will not be deceived into thinking 0.0.0.0 would be a valid setting.

 

Recent updates to the migration utility will prevent it from setting 0.0.0.0 for the parameter.  But if current updates are not in place, this could occur.

 

 

2.  NetWare FTP's settings:

 

will get translated to pure-ftpd's:

 

Problems that can exist after this migration:

 

a.  If the new OES system is placed behind a firewall, and the firewall is not allowing connections into that range of addresses, passive data connection attempts could fail.

 

b.  OES Novell FTP (pure-ftpd) is designed different with respect to requirements of this range.  In NetWare FTP, the range could be very small or even just 1 port (i.e. min and max could be the same port number).  However, in pure-ftpd, this range must be at least 2 ports wide, and even then will only support 1 FTP session.  To support multiple concurrent sessions (i.e. 10), pure-ftpd requires that the port range we twice that size (i.e. 20).

 

As another example, if "MaxClientsNumber" in pure-ftpd.conf is set to 50, then the passive port range must be at least 100 wide, i.e.:

 

Novell development is considering modifications to the migration utility, to avoid setting this range improperly.