Configure FTP server and pam.d to authenticate users with AD (CentOS/RHEL 7/8)

In this article I will share steps to configure FTP server and /etc/pam.d file to authenticate users from Active Directory. I have executed the steps on CentOS/RHEL 7 and 8 Linux. On RHEL 8 some additional steps would be required to authenticate users from AD and login.

 

Mandatory pre-requisite

Make sure you have integrated your Linux node with Active Directory. You can either use Windows Active Directory or Linux based Active Directory using FreeIPA.

I have already integrated my RHEL 7 and CentOS 8 with Windows Active Directory running on Windows Server 2012.

Step-by-Step Tutorial: Install and Configure Windows Directory Alternative FreeIPA Server in CentOS/RHEL 8
Step by Step Tutorial: Install and Configure Windows AD Alternative FreeIPA Server & Client (RHEL/CentOS 7)

Step by Step Tuorial to Add RHEL/CentOS 7 to Windows Active Directory Domain using Realm and Adcli
Step by Step Tutorial to join or add RHEL/CentOS 8 to Windows Domain Controller using winbind

 

Here I created a user 'amit' on my Active Directory to demonstrate this article

On RHEL 7 host

[root@rhel-7 ~]# getent passwd amit
amit:*:1407601118:1407600513:admit:/home/GOLINUXCLOUD.COM/amit:

On CentOS 8 host

# getent passwd GOLINUXCLOUD+amit
GOLINUXCLOUD+amit:*:2001118:2000513:admit:/home/GOLINUXCLOUD/amit:/bin/bash
IMPORTANT NOTE:

The steps to configure FTP Server (vsftpd) and /etc/pam.d/vsftpd is same for RHEL/CentOS 7 and 8.

 

Configure FTP Server (vsftpd)

I will use vsftpd server to configure FTP server in my RHEL/CentOS 7 and 8 Linux. The first step would be to install vsftpd rpm.

NOTE:

On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@rhel-7 ~]# yum -y install vsftpd
[root@centos-8 ~]# yum -y install vsftpd

I will not be able to explain the vsftpd configuration (/etc/vsftpd/vsftpd.conf) here, as we will concentrate to authenticate users with Active Directory. Below is my sample vsftpd configuration file

# egrep -v "^#|^$" /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YES
userlist_log=YES
tcp_wrappers=NO
session_support=YES

Next restart the vsftpd service to activate the changes

# systemctl restart vsftpd

Open port 21 for vsftpd server

# firewall-cmd --zone=public --permanent --add-service=ftp

 

Configure /etc/pam.d/vsftpd

Next the main file which will authenticate users with Active Directory is /etc/pam.d/vsftpd. Add the below highlighted lines in the format as shown:

# cat /etc/pam.d/vsftpd
#%PAM-1.0
auth       required      pam_env.so
auth       sufficient    pam_sss.so
account    sufficient    pam_sss.so
session    required      pam_loginuid.so
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

 

Authenticate Users from Active Directory

in CentOS/RHEL 7

Let us attempt to authenticate users from Windows AD in CentOS/RHEL 7 using FTP client.

Install the ftp client, if not already installed

[root@rhel-7 ~]# yum -y install ftp

Next execute ftp client and connect to localhost using amit user

[root@rhel-7 ~]# ftp
ftp> open localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.2)
Name (localhost:root): amit
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,56,127).
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit

So as you see we were able to successfully connect localhost using Active Directory User in Linux.

 

in CentOS/RHEL 8

Next let us attempt to authenticate users from Windows AD in CentOS/RHEL 8 using FTP Client.

Again here also we would need to install FTP client

[root@centos-8 ~]# yum -y install ftp

In CentOS/RHEL 8 I had to also create home directory of AD user or else the user failed to login

[root@centos-8 ~]# mkdir -p /home/GOLINUXCLOUD/amit

Give login permission to AD user for his home directory

[root@centos-8 ~]# chown -R GOLINUXCLOUD+amit:GOLINUXCLOUD+amit /home/GOLINUXCLOUD/

Next try to login to AD user using su

[root@centos-8 ~]# su - GOLINUXCLOUD+amit
Last login: Sun Nov 24 04:59:14 IST 2019 on pts/0
[GOLINUXCLOUD+amit@centos-8 ~]$ pwd
/home/GOLINUXCLOUD/amit
[GOLINUXCLOUD+amit@centos-8 ~]$ logout

Since the normal login is successful, I will not connect to FTP server using Active Directory user amit

[root@centos-8 ~]# ftp
ftp> open localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 3.0.3)
Name (localhost:root): GOLINUXCLOUD+amit
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,120,213).
150 Here comes the directory listing.
226 Directory send OK.
ftp> exit
221 Goodbye.

So we were able to successfully able to connect FTP (vsftpd) server using amit user.

 

Lastly I hope the steps from the article to connect and configure FTP server (vsftpd) and authenticate users from Windows Active Directory on CentOS/RHEL 7/8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
How to configure vsftpd to authenticate users from Active Directory server

1 thought on “Configure FTP server and pam.d to authenticate users with AD (CentOS/RHEL 7/8)”

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.