OK, authentication guru Jim Basney explained it to me and I have
solved the issue.

The reason control channel authentication was succeeding and data
channel authentication was failing was because of where Globus looks
for trusted certificates for users.

the client is running in OGSA, so trusted certs are determined in
cog.properties.

in.ftpd runs as root, and it finds trusted certificates in
/etc/grid-security/certificates. (if I had had a
/root/.globus/certificates directory, it would have used that).

then for the data channel in.ftpd does a setuid to futrelle (who I
map to in the gridmap file). in that case, it found a
~futrelle/.globus/certificates directory, which I thought wouldn’t
matter but it did, and I didn’t happen to have the alliance CA cert
in that directory. so data channel authentication failed.