Vsftpd/AD Authentication

vsftpd (Very Secure FTP Daemon) is a major FTP server.

pam (Pluggable Authentication Modules for linux) is a system of libraries that handle the authentication tasks of applications (services) on the system.

winbind. Name Service Switch daemon for resolving names from NT servers

Preamble
This article HOWTO describes possibility to authenticate domain users to access FTP server based on linux daemon. This HOWTO checked-out on Active Directory with 200K+ domain users. Good luck!

Vsftpd USE Flags
We should enable a pam tcpd caps and, optionally, ssl (for security reasons) use flags:

Install vsftpd
Install :

Samba USE Flags
We should enable a ads use flag

Install samba
Install :

/etc/krb5.conf
Note: parameters are case-sensitive

/etc/vsftpd/vsftpd.conf
FTP-Server will authenticate users in Microsoft Active Directory via pam + winbind.

Chroot to user's home directory
Note: If you want to chroot all users to one fixed directory, just add the following to your /etc/vsftpd/vsftpd.conf: local_root=/var/ftp

SECCOMP Filtering and 64-bit Kernels with =net-ftp/vsftpd-3.0.x
Note: If running an amd64 kernel, you will need to add the following to your /etc/vsftpd/vsftpd.conf: seccomp_sandbox=NO If the above change is not added, the following error may occur on the client side: Fatal error: 500 OOPS: priv_sock_get_cmd For further information, refer to https://bugzilla.redhat.com/show_bug.cgi?id=845980.

/etc/samba/smb.conf
Note: parameters in file are case-sensitive!

Samba localization
Note: If using samba in localized network, just add following to your /etc/samba/smb.conf (change codepage to yours): dos charset = cp866

Winbind service
Making winbindd daemon to start with samba service. Just change following string in /etc/conf.d/samba: daemon_list="smbd winbind"

Joining samba to Windows Domain
user@corp.domain.com should have permittions to join computers in Windows Domain

Enter password for user.

User Home Directories
By default, user will have /home/CORP/%user as home directory. To change this directory, you need to change attribute unixHomeDirectory for user in Microsoft AD Users and Computers