Configure FTP server and pam.d to authenticate users with AD (CentOS/RHEL 7/8)


Tips and Tricks, How To, Linux

In this article I will share steps to configure FTP server and /etc/pam.d file to authenticate users from Active Directory. I have executed the steps on CentOS/RHEL 7 and 8 Linux. On RHEL 8 some additional steps would be required to authenticate users from AD and login.

 

Mandatory pre-requisite

Make sure you have integrated your Linux node with Active Directory. You can either use Windows Active Directory or Linux based Active Directory using FreeIPA.

I have already integrated my RHEL 7 and CentOS 8 with Windows Active Directory running on Windows Server 2012.

Step-by-Step Tutorial: Install and Configure Windows Directory Alternative FreeIPA Server in CentOS/RHEL 8
Step by Step Tutorial: Install and Configure Windows AD Alternative FreeIPA Server & Client (RHEL/CentOS 7)

Step by Step Tuorial to Add RHEL/CentOS 7 to Windows Active Directory Domain using Realm and Adcli
Step by Step Tutorial to join or add RHEL/CentOS 8 to Windows Domain Controller using winbind

 

Here I created a user 'amit' on my Active Directory to demonstrate this article

On RHEL 7 host

[root@rhel-7 ~]# getent passwd amit
amit:*:1407601118:1407600513:admit:/home/GOLINUXCLOUD.COM/amit:

On CentOS 8 host

# getent passwd GOLINUXCLOUD+amit
GOLINUXCLOUD+amit:*:2001118:2000513:admit:/home/GOLINUXCLOUD/amit:/bin/bash
IMPORTANT NOTE:
The steps to configure FTP Server (vsftpd) and /etc/pam.d/vsftpd is same for RHEL/CentOS 7 and 8.

 

Configure FTP Server (vsftpd)

I will use vsftpd server to configure FTP server in my RHEL/CentOS 7 and 8 Linux. The first step would be to install vsftpd rpm.

NOTE:
On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@rhel-7 ~]# yum -y install vsftpd
[root@centos-8 ~]# yum -y install vsftpd

I will not be able to explain the vsftpd configuration (/etc/vsftpd/vsftpd.conf) here, as we will concentrate to authenticate users with Active Directory. Below is my sample vsftpd configuration file

# egrep -v "^#|^$" /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
userlist_log=YES
tcp_wrappers=NO
session_support=YES

Next restart the vsftpd service to activate the changes

# systemctl restart vsftpd

Open port 21 for vsftpd server

# firewall-cmd --zone=public --permanent --add-service=ftp

 

Configure /etc/pam.d/vsftpd

Next the main file which will authenticate users with Active Directory is /etc/pam.d/vsftpd. Add the below highlighted lines in the format as shown:

# cat /etc/pam.d/vsftpd
#%PAM-1.0
auth       required      pam_env.so
auth       sufficient    pam_sss.so
account    sufficient    pam_sss.so
session    required      pam_loginuid.so
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

 

Authenticate Users from Active Directory

in CentOS/RHEL 7

Let us attempt to authenticate users from Windows AD in CentOS/RHEL 7 using FTP client.

Install the ftp client, if not already installed

[root@rhel-7 ~]# yum -y install ftp

Next execute ftp client and connect to localhost using amit user

[root@rhel-7 ~]# ftp
ftp> open localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (localhost:root): amit
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,56,127).
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit

So as you see we were able to successfully connect localhost using Active Directory User in Linux.

 

in CentOS/RHEL 8

Next let us attempt to authenticate users from Windows AD in CentOS/RHEL 8 using FTP Client.

Again here also we would need to install FTP client

[root@centos-8 ~]# yum -y install ftp

In CentOS/RHEL 8 I had to also create home directory of AD user or else the user failed to login

[root@centos-8 ~]# mkdir -p /home/GOLINUXCLOUD/amit

Give login permission to AD user for his home directory

[root@centos-8 ~]# chown -R GOLINUXCLOUD+amit:GOLINUXCLOUD+amit /home/GOLINUXCLOUD/

Next try to login to AD user using su

[root@centos-8 ~]# su - GOLINUXCLOUD+amit
Last login: Sun Nov 24 04:59:14 IST 2019 on pts/0
[GOLINUXCLOUD+amit@centos-8 ~]$ pwd
/home/GOLINUXCLOUD/amit
[GOLINUXCLOUD+amit@centos-8 ~]$ logout

Since the normal login is successful, I will not connect to FTP server using Active Directory user amit

[root@centos-8 ~]# ftp
ftp> open localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.3)
Name (localhost:root): GOLINUXCLOUD+amit
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,120,213).
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit
221 Goodbye.

So we were able to successfully able to connect FTP (vsftpd) server using amit user.

 

Lastly I hope the steps from the article to connect and configure FTP server (vsftpd) and authenticate users from Windows Active Directory on CentOS/RHEL 7/8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
How to configure vsftpd to authenticate users from Active Directory server

Deepak Prasad

Deepak Prasad

Deepak Prasad is the founder of GoLinuxCloud, bringing over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, Networking, and Security. His extensive experience spans development, DevOps, networking, and security, ensuring robust and efficient solutions for diverse projects.

Certifications and Credentials:

  • Certified Kubernetes Application Developer (CKAD)
  • Go Developer Certification
  • Linux Foundation Certified System Administrator (LFCS)
  • Certified Ethical Hacker (CEH)
  • Python Institute PCAP (Certified Associate in Python Programming)
You can connect with him on his LinkedIn profile and join his Facebook and LinkedIn page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

2 thoughts on “Configure FTP server and pam.d to authenticate users with AD (CentOS/RHEL 7/8)”

  1. very very helpful. thanks a milion dear ADMIN
    userlist_enable=YES
    seems to be wrong because it makes vsftp to lookup users from a list. so it cannot find list and below error come up:
    500 OOPS: cannot read user list file:/etc/vsftpd.user_list

    Reply

Leave a Comment