Recently I was asked to add FTP access to a file share for a vendor. The vendor uses a script from their side to ftp to the NetApp and drop some files to our EHR interface server, which we then can digest and get into our system. The vendor has a site to site VPN and restricted end point access via some ACL’s on the networking side, so it’s not really a big issue if they want to use FTP to me.
The NetApp actually can use the AD account to authenticate users and uses NTFS permissions for said user as long as we are using a CIFS share, so that made life easy. In this case I’m not using a separate vFiler, I only need to have FTP access to this one file share. If I were going to have FTP access to various qtree’s this would have to be done differently.
Log into your NetApp from the command line. You can check your FTP settings:
FILER> options ftp ftpd.3way.enable off ftpd.anonymous.enable off ftpd.anonymous.home_dir ftpd.anonymous.name anonymous ftpd.auth_style mixed ftpd.bypass_traverse_checking on ftpd.dir.override ftpd.dir.restriction off ftpd.enable off ftpd.explicit.allow_secure_data_conn on ftpd.explicit.enable off ftpd.idle_timeout 900s (value might be overwritten in takeover) ftpd.implicit.enable off ftpd.ipv6.enable off ftpd.locking none ftpd.log.enable on ftpd.log.filesize 512k ftpd.log.nfiles 6 ftpd.max_connections 500 (value might be overwritten in takeover) ftpd.max_connections_threshold 0% (value might be overwritten in takeover) ftpd.tcp_window_size 28960
The ones, for this very simple exercise, we care about are:
ftpd.enable – Enables or disables FTP on your filer.
ftpd.dir.override – This setting is used to restrict FTP users to their home directories or a default directory. In my case I added a default directory.
ftpd.bypass_traverse_checking – If the ftpd.bypass_traverse_checking option is set to off, when a user attempts to access a file using FTP, OnTap checks the execute permission for all directories in the path to the file. If any of the intermediate directories does not have the correct permission, OnTap denies access to the file. If the ftpd.bypass_traverse_checking option is set to on, when a user attempts to access a file, OnTap does not check the traverse permission for the intermediate directories when determining whether to grant or deny access to the file. In this case we want to turn this on.
So simply set them:
options ftpd.enable on
options ftpd.bypass_traverse_checking on
options ftpd.dir.override /vol/PATH/TO/CIFS/QTREE
AD users with access to the share can now use FTP to get or put files.