In this article I will share steps to configure FTP server and
/etc/pam.d file to authenticate users from
Active Directory. I
have executed the steps on CentOS/RHEL 7 and 8 Linux. On RHEL 8 some additional
steps would be required to authenticate users from AD and login.
Mandatory pre-requisite
Make sure you have integrated your Linux node with Active Directory. You can either use Windows Active Directory or Linux based Active Directory using FreeIPA.
I have already integrated my RHEL 7 and CentOS 8 with Windows Active Directory running on Windows Server 2012.
Step-by-Step
Tutorial: Install and Configure Windows Directory Alternative FreeIPA
Server in CentOS/RHEL 8
Step
by Step Tutorial: Install and Configure Windows AD Alternative FreeIPA
Server & Client (RHEL/CentOS 7)
Step
by Step Tuorial to Add RHEL/CentOS 7 to Windows Active Directory Domain
using Realm and Adcli
Step
by Step Tutorial to join or add RHEL/CentOS 8 to Windows Domain
Controller using winbind
Here I created a user ‘amit’ on my Active Directory to demonstrate
this article
On RHEL 7 host
[root@rhel-7 ~]# getent passwd amit
amit:*:1407601118:1407600513:admit:/home/GOLINUXCLOUD.COM/amit:
On CentOS 8 host
# getent passwd GOLINUXCLOUD+amit
GOLINUXCLOUD+amit:*:2001118:2000513:admit:/home/GOLINUXCLOUD/amit:/bin/bash
Configure FTP Server (vsftpd)
I will use vsftpd server to configure FTP server in my RHEL/CentOS 7
and 8 Linux. The first step would be to install vsftpd
rpm.
[root@rhel-7 ~]# yum -y install vsftpd
[root@centos-8 ~]# yum -y install vsftpd
I will not be able to explain the vsftpd configuration
(/etc/vsftpd/vsftpd.conf) here, as we will concentrate to authenticate
users with Active Directory. Below is my sample vsftpd configuration
file
# egrep -v "^#|^$" /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
userlist_log=YES
tcp_wrappers=NO
session_support=YES
Next restart the vsftpd service to activate the changes
# systemctl restart vsftpd
Open port 21 for vsftpd server
# firewall-cmd --zone=public --permanent --add-service=ftp
Configure /etc/pam.d/vsftpd
Next the main file which will authenticate users with Active Directory
is /etc/pam.d/vsftpd. Add the below highlighted lines in the format as
shown:
/etc/pam.d/vsftpd with your
setup’s file.
# cat /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_sss.so
account sufficient pam_sss.so
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
Authenticate Users from Active Directory
in CentOS/RHEL 7
Let us attempt to authenticate users from Windows AD in CentOS/RHEL 7 using FTP client.
Install the ftp client, if not already installed
[root@rhel-7 ~]# yum -y install ftp
Next execute ftp client and connect to localhost using amit user
[root@rhel-7 ~]# ftp
ftp> open localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (localhost:root): amit
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,56,127).
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit
So as you see we were able to successfully connect localhost using Active Directory User in Linux.
in CentOS/RHEL 8
Next let us attempt to authenticate users from Windows AD in CentOS/RHEL 8 using FTP Client.
Again here also we would need to install FTP client
[root@centos-8 ~]# yum -y install ftp
In CentOS/RHEL 8 I had to also create home directory of AD user or else the user failed to login
[root@centos-8 ~]# mkdir -p /home/GOLINUXCLOUD/amit
Give login permission to AD user for his home directory
[root@centos-8 ~]# chown -R GOLINUXCLOUD+amit:GOLINUXCLOUD+amit /home/GOLINUXCLOUD/
Next try to login to AD user using su
[root@centos-8 ~]# su - GOLINUXCLOUD+amit
Last login: Sun Nov 24 04:59:14 IST 2019 on pts/0
[GOLINUXCLOUD+amit@centos-8 ~]$ pwd
/home/GOLINUXCLOUD/amit
[GOLINUXCLOUD+amit@centos-8 ~]$ logout
Since the normal login is successful, I will not connect to FTP server using Active Directory user amit
[root@centos-8 ~]# ftp
ftp> open localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.3)
Name (localhost:root): GOLINUXCLOUD+amit
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,120,213).
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit
221 Goodbye.
So we were able to successfully able to connect FTP (vsftpd) server
using amit user.
Lastly I hope the steps from the article to connect and configure FTP
server (vsftpd) and authenticate users from Windows Active Directory
on CentOS/RHEL 7/8 Linux was helpful. So, let me know your suggestions
and feedback using the comment section.
References:
How to configure vsftpd to authenticate users
from Active Directory server
