vsftpd/AD Authentication

From Gentoo Wiki
< Vsftpd
Jump to: navigation, search

Resources

vsftpd (Very Secure FTP Daemon) is a major FTP server.
pam (Pluggable Authentication Modules for linux) is a system of libraries that handle the authentication tasks of applications (services) on the system.
winbind. Name Service Switch daemon for resolving names from NT servers

Preamble

This article HOWTO describes possibility to authenticate domain users to access FTP server based on linux daemon. This HOWTO checked-out on Active Directory with 200K+ domain users. Good luck!

Installation

Vsftpd

Vsftpd USE Flags

USE flags for net-ftp/vsftpd Very Secure FTP Daemon written with speed, size and security in mind

caps Use Linux capabilities library to control privilege
libressl Use dev-libs/libressl instead of dev-libs/openssl when applicable (see also the ssl useflag)
pam Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
ssl Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
tcpd Add support for TCP wrappers
xinetd Add support for the xinetd super-server

We should enable a pam tcpd caps and, optionally, ssl (for security reasons) use flags:

root #echo "net-ftp/vsftpd pam tcpd caps ssl" > /etc/portage/package.use/vsftpd

Install vsftpd

Install net-ftp/vsftpd:

root #emerge --ask net-ftp/vsftpd

Samba

Samba USE Flags

USE flags for net-fs/samba Samba Suite Version 4

acl Add support for Access Control Lists
addc Enable Active Directory Domain Controller support
addns Enable AD DNS integration
ads Enable Active Directory support
ceph Enable support for Ceph distributed filesystem via sys-cluster/ceph
client Enables the client part
cluster Enable support for clustering
cups Add support for CUPS (Common Unix Printing System)
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
dmapi Enable support for DMAPI. This currently works only in combination with XFS.
fam Enable FAM (File Alteration Monitor) support
gpg Use app-crypt/gpgme for AD DC
iprint Enabling iPrint technology by Novell
json Enable json audit support through dev-libs/jansson
ldap Add LDAP support (Lightweight Directory Access Protocol)
pam Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip
profiling-data Enables support for collecting profiling data
python Add optional support/bindings for the Python language
quota Enables support for user quotas
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
snapper Enable vfs_snapper module (requires sys-apps/dbus)
syslog Enable support for syslog
system-heimdal Use app-crypt/heimdal instead of bundled heimdal.
system-mitkrb5 Use app-crypt/mit-krb5 instead of app-crypt/heimdal.
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
winbind Enables support for the winbind auth daemon
zeroconf Support for DNS Service Discovery (DNS-SD)

We should enable a ads use flag

root #echo "net-fs/samba ads" > /etc/portage/package.use/samba

Install samba

Install net-fs/samba:

root #emerge --ask net-fs/samba

Configuration

/etc/krb5.conf

Note: parameters are case-sensitive

FILE /etc/krb5.conf
[libdefaults]
default_realm = CORP.DOMAIN.COM
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
CORP.DOMAIN.COM = {
kdc = dc1.corp.domain.com
kdc = dc2.corp.domain.com
admin_server = dc1.corp.domain.com
default_domain = corp.domain.com
}
[domain_realm]
.corp.domain.com = CORP.DOMAIN.COM
corp.domain.com = CORP.DOMAIN.COM

/etc/vsftpd/vsftpd.conf

FTP-Server will authenticate users in Microsoft Active Directory via pam + winbind.

FILE /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=YES
ascii_download_enable=NO
ftpd_banner=Welcome to FTP-server.
chroot_local_user=YES
listen=YES
local_max_rate=0
use_localtime=YES
pam_service_name=ftp
session_support=YES
pasv_enable=YES

Chroot to user's home directory

Note: If you want to chroot all users to one fixed directory, just add the following to your /etc/vsftpd/vsftpd.conf:

local_root=/var/ftp

SECCOMP Filtering and 64-bit Kernels with =net-ftp/vsftpd-3.0.x

Note: If running an amd64 kernel, you will need to add the following to your /etc/vsftpd/vsftpd.conf:

seccomp_sandbox=NO

If the above change is not added, the following error may occur on the client side: Fatal error: 500 OOPS: priv_sock_get_cmd For further information, refer to https://bugzilla.redhat.com/show_bug.cgi?id=845980.

/etc/samba/smb.conf

Note: parameters in file are case-sensitive!

FILE /etc/samba/smb.conf
[global]
   netbios name = FTPHOST
   workgroup = CORP
   realm = CORP.DOMAIN.COM
   server string = FTPHOST
   security = ads
   encrypt passwords = true
   dns proxy = no
   domain master = no
   local master = no
   preferred master = no
   os level = 0
   domain logons = no
   hosts allow = 192.168. 127. 10.
   log file = /var/log/samba/log.%m
   max log size = 50
   interfaces = 127.0.0.1/8 10.1.1.1/24
   display charset = UTF-8
   unix charset = UTF-8
   idmap cache time = 1
   idmap negative cache time = 1
   winbind use default domain = yes
   winbind uid = 10000-80000
   winbind gid = 10000-80000
   winbind enum users = yes
   winbind enum groups = yes
   winbind refresh tickets = yes
   winbind nss info = rfc2307
   winbind offline logon = true
   winbind cache time = 1
   max protocol = smb2
   oplocks = yes
   level2 oplocks = yes
   kernel oplocks = no
   create mask = 0777

Samba localization

Note: If using samba in localized network, just add following to your /etc/samba/smb.conf (change codepage to yours):

   dos charset = cp866

pam configuration

Warning
Users, who are not in FTP-ACCESS groip in Active Directory, will get "Password Incorrect"
FILE /etc/pam d/ftp
auth     include   vsftpd-winbind
account  include   vsftpd-winbind
session  include   vsftpd-winbind
FILE /etc/pam.d/vsftpd-winbind
auth        required      pam_env.so debug
auth        required      pam_winbind.so require_membership_of=FTP-ACCESS debug debug_state
auth        sufficient    pam_winbind.so require_membership_of=FTP-ACCESS debug debug_state
auth        required      pam_deny.so debug
account     sufficient    pam_winbind.so require_membership_of=FTP-ACCESS debug debug_state
account     required      pam_deny.so
password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    required      pam_deny.so
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      pam_limits.so
session     required      pam_unix.so

Winbind service

Making winbindd daemon to start with samba service. Just change following string in /etc/conf.d/samba:

daemon_list="smbd winbind"

OpenRC

root #rc-update add samba default
root #/etc/init.d/samba start
root #rc-update add vsftpd default
root #/etc/init.d/vsftpd start

systemd

root #systemctl enable smbd
root #systemctl start smbd
root #systemctl enable winbindd
root #systemctl start winbindd
root #systemctl enable vsftpd
root #systemctl start vsftpd

Joining samba to Windows Domain

user@corp.domain.com should have permittions to join computers in Windows Domain

root #net ads join user@corp.domain.com

Enter password for user.

User Home Directories

By default, user will have /home/CORP/%user as home directory. To change this directory, you need to change attribute unixHomeDirectory for user in Microsoft AD Users and Computers