In this article I will share steps to configure FTP server and /etc/pam.d
file to authenticate users from Active Directory. I have executed the steps on CentOS/RHEL 7 and 8 Linux. On RHEL 8 some additional steps would be required to authenticate users from AD and login.
Mandatory pre-requisite
Make sure you have integrated your Linux node with Active Directory. You can either use Windows Active Directory or Linux based Active Directory using FreeIPA.
I have already integrated my RHEL 7 and CentOS 8 with Windows Active Directory running on Windows Server 2012.
Step-by-Step Tutorial: Install and Configure Windows Directory Alternative FreeIPA Server in CentOS/RHEL 8
Step by Step Tutorial: Install and Configure Windows AD Alternative FreeIPA Server & Client (RHEL/CentOS 7)
Step by Step Tuorial to Add RHEL/CentOS 7 to Windows Active Directory Domain using Realm and Adcli
Step by Step Tutorial to join or add RHEL/CentOS 8 to Windows Domain Controller using winbind
Here I created a user 'amit
' on my Active Directory to demonstrate this article
On RHEL 7 host
[root@rhel-7 ~]# getent passwd amit amit:*:1407601118:1407600513:admit:/home/GOLINUXCLOUD.COM/amit:
On CentOS 8 host
# getent passwd GOLINUXCLOUD+amit GOLINUXCLOUD+amit:*:2001118:2000513:admit:/home/GOLINUXCLOUD/amit:/bin/bash
Configure FTP Server (vsftpd)
I will use vsftpd
server to configure FTP server in my RHEL/CentOS 7 and 8 Linux. The first step would be to install vsftpd
rpm.
[root@rhel-7 ~]# yum -y install vsftpd [root@centos-8 ~]# yum -y install vsftpd
I will not be able to explain the vsftpd
configuration (/etc/vsftpd/vsftpd.conf
) here, as we will concentrate to authenticate users with Active Directory. Below is my sample vsftpd
configuration file
# egrep -v "^#|^$" /etc/vsftpd/vsftpd.conf anonymous_enable=YES local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=YES listen_ipv6=NO pam_service_name=vsftpd userlist_enable=YES userlist_log=YES tcp_wrappers=NO session_support=YES
Next restart the vsftpd
service to activate the changes
# systemctl restart vsftpd
Open port 21 for vsftpd server
# firewall-cmd --zone=public --permanent --add-service=ftp
Configure /etc/pam.d/vsftpd
Next the main file which will authenticate users with Active Directory is /etc/pam.d/vsftpd
. Add the below highlighted lines in the format as shown:
/etc/pam.d/vsftpd
with your setup's file.# cat /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_sss.so
account sufficient pam_sss.so
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
Authenticate Users from Active Directory
in CentOS/RHEL 7
Let us attempt to authenticate users from Windows AD in CentOS/RHEL 7 using FTP client.
Install the ftp
client, if not already installed
[root@rhel-7 ~]# yum -y install ftp
Next execute ftp client and connect to localhost using amit
user
[root@rhel-7 ~]# ftp ftp> open localhost Trying ::1... ftp: connect to address ::1Connection refused Trying 127.0.0.1... Connected to localhost (127.0.0.1). 220 (vsFTPd 3.0.2) Name (localhost:root): amit 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,56,127). 150 Here comes the directory listing. 226 Directory send OK. ftp> exit
So as you see we were able to successfully connect localhost using Active Directory User in Linux.
in CentOS/RHEL 8
Next let us attempt to authenticate users from Windows AD in CentOS/RHEL 8 using FTP Client.
Again here also we would need to install FTP client
[root@centos-8 ~]# yum -y install ftp
In CentOS/RHEL 8 I had to also create home directory of AD user or else the user failed to login
[root@centos-8 ~]# mkdir -p /home/GOLINUXCLOUD/amit
Give login permission to AD user for his home directory
[root@centos-8 ~]# chown -R GOLINUXCLOUD+amit:GOLINUXCLOUD+amit /home/GOLINUXCLOUD/
Next try to login to AD user using su
[root@centos-8 ~]# su - GOLINUXCLOUD+amit
Last login: Sun Nov 24 04:59:14 IST 2019 on pts/0
[GOLINUXCLOUD+amit@centos-8 ~]$ pwd
/home/GOLINUXCLOUD/amit
[GOLINUXCLOUD+amit@centos-8 ~]$ logout
Since the normal login is successful, I will not connect to FTP server using Active Directory user amit
[root@centos-8 ~]# ftp ftp> open localhost Trying ::1... ftp: connect to address ::1Connection refused Trying 127.0.0.1... Connected to localhost (127.0.0.1). 220 (vsFTPd 3.0.3) Name (localhost:root): GOLINUXCLOUD+amit 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (127,0,0,1,120,213). 150 Here comes the directory listing. 226 Directory send OK. ftp> exit 221 Goodbye.
So we were able to successfully able to connect FTP (vsftpd
) server using amit
user.
Lastly I hope the steps from the article to connect and configure FTP server (vsftpd
) and authenticate users from Windows Active Directory on CentOS/RHEL 7/8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References:
How to configure vsftpd to authenticate users from Active Directory server
very very helpful. thanks a milion dear ADMIN
userlist_enable=YES
seems to be wrong because it makes vsftp to lookup users from a list. so it cannot find list and below error come up:
500 OOPS: cannot read user list file:/etc/vsftpd.user_list
Thank you very much!