Customer wants to use PAM to access Windows FTP server.
When trying to access, following error is returned and unable to see the directory content.
"Failed to retrieve directory listing"
How can I access Windows FTP Server using PAM?
Windows 2012 FTP Server.
You will not be able to create regular TCP Service for the Windows FTP Server as you will encounter following issues.
1. FTP Client will get error "Failed to retrieve directory listing"
This is because the FTP Client would firstly go to FTP via the local loopback address as configured in the service.
But once the FTP client established the ControChannel connection to the FTP server, it would try to establish DataChannel but the ClientIP address would appear differently.
ControChannel would have PAM Server as the ClientIP while the DataChannel would have FTP Client's IP Address.
This results in the following error which would decline providing the directory listing.
2018-02-07 05:41:37 192.168.0.41 62043 SHARED\user1 FTPSVC2 WWW - 192.168.0.51 55825 DataChannelOpened - - 0 0 0 0 0 36ac0508-bcc1-406c-b235-c226e125445b - -
2018-02-07 05:41:37 192.168.0.41 62043 SHARED\user1 FTPSVC2 WWW - 192.168.0.51 55825 DataChannelClosed - - 1236 38 0 0 0 36ac0508-bcc1-406c-b235-c226e125445b - Client+IP+on+the+control+channel+didn't+match+the+client+IP+on+the+data+channel.
2018-02-07 05:41:37 192.168.0.199 33620 SHARED\user1 FTPSVC2 WWW - 192.168.0.51 21 LIST - 550 1236 38 218 6 15 36ac0508-bcc1-406c-b235-c226e125445b / Client+IP+on+the+control+channel+didn't+match+the+client+IP+on+the+data+channel.
2018-02-07 05:41:41 192.168.0.199 33620 SHARED\user1 FTPSVC2 WWW - 192.168.0.51 21 ControlChannelClosed - - 0 0 3434 1359 5000 36ac0508-bcc1-406c-b235-c226e125445b - -
The reason why I am highlighing "Windows FTP Server" is because there is a workaround for this behavior if you are using 3rd party FTP server such as the FileZilla Server.
There is option to "Relaxed Match Client IP" or "Disable" option to completely ignore this error condition.
2. And as noted from above, the FTP is establishing connection directly to the FTP server (regardless of whether it is Windows FTP Server or FileZilla Server).
This can be something you would want to restrict, you may require all connection going via PAM Server.
In this case, the advise would be to use "sftpftpemb" service that is made available out of the box.
When you use this service, PAM Client will extract bundled WinSCP to "%USERPROFILE%\WinSCP" folder and execute so you do not need to separately install WinSCP on the PAM Client machine.
This special service allows WinSCP to only communicate via the local loopback address and go via PAM Server.