0

I'm trying to authenticate vsftpd on an Ubuntu server against my Active directory server. I have joined the domain successfully following this article: https://nerdonthestreet.com/wiki?find=Authenticate+Ubuntu+19.04+against+Active+Directory I can login normally to the linux system. I then installed vsftpd on my Ubuntu 20. Now I can access the FTP server normally using the local users, but when using AD users I get an error: "530 Login incorrect.". Below I will add my vsftpd, pam and sssd conf, any help would be highly appreciated guys.

vsftpd.conf:

listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=0022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES allow_writeable_chroot=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key ssl_enable=NO

Here are the SSD conf:

[sssd] services = nss, pam config_file_version = 2 domains = server.local [nss] entry_negative_timeout = 0 #debug_level = 5 [pam] #debug_level = 5 [domain/server.local] #debug_level = 10 enumerate = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad dyndns_update = false ad_hostname = client1.server.local ad_server = dc02.server.local ad_domain = server.local ldap_schema = ad ldap_id_mapping = true fallback_homedir = /home/%u default_shell = /bin/bash ldap_sasl_mech = gssapi ldap_sasl_authid = CLIENT1$ krb5_keytab = /etc/sssd/my-keytab.keytab ldap_krb5_init_creds = true

Here are the pam common-session conf:

session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_sss.so session optional pam_systemd.so # end of pam-auth-update config

vsftpd Pam conf:

# Standard behaviour for ftpd(8). auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed # Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so. # Standard pam includes @include common-account @include common-session @include common-auth auth required pam_shells.so

Thanks for taking the time in reading this.

Improve this question
5
  • This sounds dangerous! You are trying to use Active Directory credentials on unencrypted connections. Consider at least ssl_enable=YES with force_local_logins_ssl=YES and force_local_data_ssl=YES. Commented Nov 20, 2020 at 11:28
  • Thanks for your answer! This is actually a sandbox environment for testing my university project. I cannot for the life of me get those two parts to integrate together, vsftpd and AD. I can login fine with ssh using AD creds, but vsftpd no. I get invalid login error always. Commented Nov 20, 2020 at 12:50
  • You have pam_service_name=vsftpd. How is that service configured? /etc/pam.d/vsftpd maybe? Commented Nov 20, 2020 at 13:16
  • Thanks again for the help! I have edit my original post and added the vsftpd pam configuration. Commented Nov 20, 2020 at 13:41
  • Its worth to mention also, that I can SSH fine into the system with AD creds. I can also su [AD_user] fine from within the system, but I can not login to the vsftpd server nor from the initial login screen in Ubuntu, for those I have to use the native users to be able to login. Commented Nov 20, 2020 at 15:01

1 Answer 1

Reset to default
0

change these lines in /etc/vsftpd/vsftpd.conf

anonymous_enable=YES

#secure_chroot_dir=/var/run/vsftpd/empty

add these lines:

userlist_enable=NO

tcp_wrappers=NO

session_support=YES

add these lines to /etc/pam.d/vsftpd

auth required pam_env.so

auth sufficient pam_sss.so

account sufficient pam_sss.so

session required pam_loginuid.so

then restart the vsftpd service:

sudo systemctl restart vsftpd
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.