0

I'm trying to authenticate vsftpd on an Ubuntu server against my Active directory server. I have joined the domain successfully following this article: https://nerdonthestreet.com/wiki?find=Authenticate+Ubuntu+19.04+against+Active+Directory I can login normally to the linux system. I then installed vsftpd on my Ubuntu 20. Now I can access the FTP server normally using the local users, but when using AD users I get an error: "530 Login incorrect.". Below I will add my vsftpd, pam and sssd conf, any help would be highly appreciated guys.

vsftpd.conf:

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=0022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

Here are the SSD conf:

[sssd]
services = nss, pam
config_file_version = 2
domains = server.local

[nss]
entry_negative_timeout = 0
#debug_level = 5

[pam]
#debug_level = 5

[domain/server.local]
#debug_level = 10
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = client1.server.local
ad_server = dc02.server.local
ad_domain = server.local
ldap_schema = ad
ldap_id_mapping = true
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = CLIENT1$
krb5_keytab = /etc/sssd/my-keytab.keytab
ldap_krb5_init_creds = true

Here are the pam common-session conf:

session [default=1]         pam_permit.so

session requisite           pam_deny.so

session required            pam_permit.so

session optional            pam_umask.so

session required    pam_unix.so
session required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional            pam_sss.so 
session optional    pam_systemd.so 
# end of pam-auth-update config

vsftpd Pam conf:

# Standard behaviour for ftpd(8).
auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.

# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth    required    pam_shells.so

Thanks for taking the time in reading this.

random-xyz
  • 11
  • 2
  • This sounds dangerous! You are trying to use Active Directory credentials on unencrypted connections. Consider at least `ssl_enable=YES` with `force_local_logins_ssl=YES` and `force_local_data_ssl=YES`. – Esa Jokinen Nov 20 '20 at 11:28
  • Thanks for your answer! This is actually a sandbox environment for testing my university project. I cannot for the life of me get those two parts to integrate together, vsftpd and AD. I can login fine with ssh using AD creds, but vsftpd no. I get invalid login error always. – random-xyz Nov 20 '20 at 12:50
  • You have `pam_service_name=vsftpd`. How is that service configured? `/etc/pam.d/vsftpd` maybe? – Esa Jokinen Nov 20 '20 at 13:16
  • Thanks again for the help! I have edit my original post and added the vsftpd pam configuration. – random-xyz Nov 20 '20 at 13:41
  • Its worth to mention also, that I can SSH fine into the system with AD creds. I can also su [AD_user] fine from within the system, but I can not login to the vsftpd server nor from the initial login screen in Ubuntu, for those I have to use the native users to be able to login. – random-xyz Nov 20 '20 at 15:01

1 Answers1

0

change these lines in /etc/vsftpd/vsftpd.conf

anonymous_enable=YES

#secure_chroot_dir=/var/run/vsftpd/empty

add these lines:

userlist_enable=NO

tcp_wrappers=NO

session_support=YES

add these lines to /etc/pam.d/vsftpd

auth required pam_env.so

auth sufficient pam_sss.so

account sufficient pam_sss.so

session required pam_loginuid.so

then restart the vsftpd service:

sudo systemctl restart vsftpd
foad322
  • 1
  • 1