vsFTPd authenticating with SSSD

linux active-directory ftp vsftpd sssd

5,725

I first checked the shell settings and added the following line to my /etc/sss/sssd.conf:

[domain/example.org]
override_shell = /sbin/rbash

but this didn't solve the problem.

After commenting out the line

account  [default=bad success=ok user_unknown=ignore]  pam_sss.so

in /etc/pam.d/common-auth active directory users can login with their AD account.

But this setting affects more login services than just vsftpd. So I removed the comment from that line (going back to the original version) and changed vsftpd'd pam configuration instead:

/etc/pam.d/vsftpd:

# Standard behaviour for ftpd(8).
auth  required   pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

# Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so.

# Standard pam includes

##@include common-account
account [success=1 new_authtok_reqd=done default=ignore]  pam_unix.so 
account requisite      pam_deny.so
account required       pam_permit.so
account sufficient     pam_localuser.so 

@include common-session
@include common-auth
auth    required       pam_shells.so

5,725

Jeremy Spencer

Updated on September 18, 2022

Comments

Jeremy Spencer almost 2 years

I am currently trying to setup an FTP sever that authenticates through Active Directory using SSSD.

My config files are as follows:

/etc/vsftpd/vsftpd:

[root@StudentOrgFTP vsftpd]# cat vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_log=YES
tcp_wrappers=NO
chroot_local_user=YES
session_support=YES

/etc/sssd/sssd.conf

[sssd]

domains = WORK
services = nss, pam
config_file_version = 2

[pam]
offline_credentials_expiration = 5

[nss]

[domain/WORK]
description = Work domains

enumerate = false

id_provider = ldap
auth_provider = ldap
chpass_provider = none
access_provider = ldap

ldap_pwd_policy = none
ldap_schema = ad
ldap_user_name = sAMAccountName
ldap_user_object_class = person
ldap_group_object_class = group
ldap_id_mapping = True
case_sensitive = false

ldap_id_mapping = True
override_shell = /bin/bash
override_homedir = /srv/student_ftp/%u

# Connection Properties
ldap_uri = ldaps://xxxxx.xxxxxxxx.xxx
# Temporary measure until I can get a hold of a proper certificate
ldap_tls_reqcert = never

ldap_search_base = dc=xxxxxxxx,dc=xxx
ldap_group_search_base = OU=students,dc=xxxxxxxx,dc=xxx
ldap_default_bind_dn = CN=<AD User>,OU=Users,OU=Labs,dc=xxxxxxxx,dc=xxx
ldap_default_authtok_type = password
ldap_default_authtok = <password>

ldap_access_filter = (&(objectClass=person)(ou=students,dc=xxxxxxxx,dc=xxx))

/etc/pam.d/vsftpd

auth required pam_env.so
auth sufficient pam_sss.so
ce with pam_winbind.so
account sufficient pam_sss.so
ce with pam_winbind.so
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpuse
rs onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth

I was able to get SSSD working with this config, I can run 'id username' or 'getent passwd username' and they both return with the correct info, but if I use the generic linux 'ftp' command vsftp can't seem to authenticate correctly.

EDIT: /var/log/secure output:

Jan 27 04:32:36 StudentOrgFTP vsftpd: vsftpd: PAM (vsftpd) illegal module type: ce
Jan 27 04:32:36 StudentOrgFTP vsftpd: PAM pam_parse: expecting return value; [...with]
Jan 27 04:32:36 StudentOrgFTP vsftpd: PAM (vsftpd) illegal module type: ce
Jan 27 04:32:36 StudentOrgFTP vsftpd: PAM pam_parse: expecting return value; [...with]
Jan 27 04:32:36 StudentOrgFTP vsftpd: PAM (vsftpd) illegal module type: rs
Jan 27 04:32:36 StudentOrgFTP vsftpd: PAM pam_parse: expecting return value; [...onerr=succeed]
Jan 27 04:32:36 StudentOrgFTP vsftpd: PAM (vsftpd) no module name supplied
Jan 27 04:32:36 StudentOrgFTP vsftpd: pam_sss(vsftpd:auth): authentication success; logname= uid=0 euid=0 tty=ftp ruser=some_username rhost=localhost user=some_username
Jan 27 04:32:36 StudentOrgFTP vsftpd: pam_sss(vsftpd:account): Access denied for user some_username: 6 (Permission denied)
Jan 27 04:32:36 StudentOrgFTP vsftpd: pam_sss(vsftpd:account): Access denied for user some_username: 6 (Permission denied)

Jeremy Spencer over 9 years

Thanks for the reply, I'll post more on Tuesday (long weekend), but I know the issue isn't SSSD because I can retrieve username's and info from AD with 'id' and 'getent passwd', so I am assuming the issue is in vsftpd or PAM. Once I get back in on Tuesday I will check the logs and trun on the debug levels and see what that brings out.
Jeremy Spencer over 9 years

Sorry for the long wait. So initially nothing was being put in /var/log/secure, however after adding 'debug_level = 9' to both [pam] and [domain] in /etc/sssd/sssd.conf I tried used 'su other_username' and the system logged me in as that user; addtitionally /var/log/secure recorded it as well. After running 'ftp localhost' and putting in a correct username and password, I edited the question with /var/log/secure's output.
user2402902 about 9 years

That did not work for me. I have commented this line and restarted the vsftpd service sudo systemctl restart vsftpd.service