vsftpd/AD Authentication
vsftpd (Very Secure FTP Daemon) is a major FTP server.
pam (Pluggable Authentication Modules for linux) is a system of libraries that handle the authentication tasks of applications (services) on the system.
winbind. Name Service Switch daemon for resolving names from NT servers
Preamble
This article HOWTO describes possibility to authenticate domain users to access FTP server based on linux daemon. This HOWTO checked-out on Active Directory with 200K+ domain users. Good luck!
Installation
Vsftpd
Vsftpd USE Flags
USE flags for net-ftp/vsftpd Very Secure FTP Daemon
We should enable a pam tcpd caps and, optionally, ssl (for security reasons) use flags:
root #echo "net-ftp/vsftpd pam tcpd caps ssl" > /etc/portage/package.use/vsftpdInstall vsftpd
Install net-ftp/vsftpd:
root #emerge --ask net-ftp/vsftpdSamba
Samba USE Flags
USE flags for net-fs/samba Samba Suite Version 4
+regedit
|
Enable support for regedit command-line tool |
+system-mitkrb5
|
Use app-crypt/mit-krb5 instead of app-crypt/heimdal. |
acl
|
Add support for Access Control Lists |
addc
|
Enable Active Directory Domain Controller support |
ads
|
Enable Active Directory support |
ceph
|
Enable support for Ceph distributed filesystem via sys-cluster/ceph |
client
|
Enables the client part |
cluster
|
Enable support for clustering |
cups
|
Add support for CUPS (Common Unix Printing System) |
debug
|
Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces |
fam
|
Enable FAM (File Alteration Monitor) support |
glusterfs
|
Enable support for Glusterfs filesystem via sys-cluster/glusterfs |
gpg
|
Use app-crypt/gpgme for AD DC |
iprint
|
Enabling iPrint technology by Novell |
json
|
Enable json audit support through dev-libs/jansson |
ldap
|
Add LDAP support (Lightweight Directory Access Protocol) |
llvm-libunwind
|
Use llvm-runtimes/libunwind instead of sys-libs/libunwind |
lmdb
|
Enable LMDB backend for bundled ldb |
pam
|
Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip |
profiling-data
|
Enables support for collecting profiling data |
python
|
Add optional support/bindings for the Python language |
quota
|
Enables support for user quotas |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
snapper
|
Enable vfs_snapper module (requires sys-apps/dbus) |
spotlight
|
Enable support for spotlight backend |
syslog
|
Enable support for syslog |
system-heimdal
|
Use app-crypt/heimdal instead of bundled heimdal. |
systemd
|
Enable use of systemd-specific libraries and features like socket activation or session tracking |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
unwind
|
Enable libunwind usage for backtraces |
winbind
|
Enables support for the winbind auth daemon |
zeroconf
|
Support for DNS Service Discovery (DNS-SD) |
We should enable a ads use flag
root #echo "net-fs/samba ads" > /etc/portage/package.use/sambaInstall samba
Install net-fs/samba:
root #emerge --ask net-fs/sambaConfiguration
/etc/krb5.conf
Note: parameters are case-sensitive
/etc/krb5.conf[libdefaults]
default_realm = CORP.DOMAIN.COM
dns_lookup_kdc = no
dns_lookup_realm = no
ticket_lifetime = 24
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
[realms]
CORP.DOMAIN.COM = {
kdc = dc1.corp.domain.com
kdc = dc2.corp.domain.com
admin_server = dc1.corp.domain.com
default_domain = corp.domain.com
}
[domain_realm]
.corp.domain.com = CORP.DOMAIN.COM
corp.domain.com = CORP.DOMAIN.COM
/etc/vsftpd/vsftpd.conf
FTP-Server will authenticate users in Microsoft Active Directory via pam + winbind.
/etc/vsftpd/vsftpd.confanonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=YES
ascii_download_enable=NO
ftpd_banner=Welcome to FTP-server.
chroot_local_user=YES
listen=YES
local_max_rate=0
use_localtime=YES
pam_service_name=ftp
session_support=YES
pasv_enable=YES
Chroot to user's home directory
Note: If you want to chroot all users to one fixed directory, just add the following to your /etc/vsftpd/vsftpd.conf:
local_root=/var/ftp
SECCOMP Filtering and 64-bit Kernels with =net-ftp/vsftpd-3.0.x
Note: If running an amd64 kernel, you will need to add the following to your /etc/vsftpd/vsftpd.conf:
seccomp_sandbox=NO
If the above change is not added, the following error may occur on the client side: Fatal error: 500 OOPS: priv_sock_get_cmd For further information, refer to https://bugzilla.redhat.com/show_bug.cgi?id=845980.
/etc/samba/smb.conf
Note: parameters in file are case-sensitive!
/etc/samba/smb.conf[global]
netbios name = FTPHOST
workgroup = CORP
realm = CORP.DOMAIN.COM
server string = FTPHOST
security = ads
encrypt passwords = true
dns proxy = no
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
hosts allow = 192.168. 127. 10.
log file = /var/log/samba/log.%m
max log size = 50
interfaces = 127.0.0.1/8 10.1.1.1/24
display charset = UTF-8
unix charset = UTF-8
idmap cache time = 1
idmap negative cache time = 1
winbind use default domain = yes
winbind uid = 10000-80000
winbind gid = 10000-80000
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind offline logon = true
winbind cache time = 1
max protocol = smb2
oplocks = yes
level2 oplocks = yes
kernel oplocks = no
create mask = 0777
Samba localization
Note: If using samba in localized network, just add following to your /etc/samba/smb.conf (change codepage to yours):
dos charset = cp866
pam configuration
Users, who are not in FTP-ACCESS groip in Active Directory, will get "Password Incorrect"
/etc/pam d/ftpauth include vsftpd-winbind
account include vsftpd-winbind
session include vsftpd-winbind
/etc/pam.d/vsftpd-winbindauth required pam_env.so debug
auth required pam_winbind.so require_membership_of=FTP-ACCESS debug debug_state
auth sufficient pam_winbind.so require_membership_of=FTP-ACCESS debug debug_state
auth required pam_deny.so debug
account sufficient pam_winbind.so require_membership_of=FTP-ACCESS debug debug_state
account required pam_deny.so
password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
Winbind service
Making winbindd daemon to start with samba service. Just change following string in /etc/conf.d/samba:
daemon_list="smbd winbind"
OpenRC
root #rc-update add samba default
root #/etc/init.d/samba start
root #rc-update add vsftpd default
root #/etc/init.d/vsftpd startsystemd
root #systemctl enable smbd
root #systemctl start smbd
root #systemctl enable winbindd
root #systemctl start winbindd
root #systemctl enable vsftpd
root #systemctl start vsftpd
Joining samba to Windows Domain
user@corp.domain.com should have permittions to join computers in Windows Domain
root #net ads join user@corp.domain.comEnter password for user.
User Home Directories
By default, user will have /home/CORP/%user as home directory. To change this directory, you need to change attribute unixHomeDirectory for user in Microsoft AD Users and Computers