Setup SFTP on UBUNTU 16.x with Active Directory authentication

In this tutorial we will look into setting up sftp server for users on Ubuntu 16 which will be authenticating through Active Directory. This will be a two step process consisting of first connecting Ubuntu server to Active Directory and then setting up SFTP for AD users.


Lab environment

  • Active Directory 2012 R2 Domain Controller – 192.168.0.80
  • Ubuntu 16.1 server – 192.168.0.81
  • AD Domain – LAB.LOCAL
  • Windows AD testusr user with Administrative permission in Active Directory
  • Windows AD testgrp group in Active Directory with users that will need sftp acecss
  • Joining Ubuntu 16 to Active Directory
    1. Install necessary software

    sudo apt-get -y install ntp vim ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

    When asked for domain name enter LAB.LOCAL

    2. Make sure both AD and SFTP server both have same NTP source. The must be same or Kerberos authentication will fail. In our case DC is the NTP server for both. You can add following line to your ntp.conf server

    sudo vim /etc/ntp.conf
    srever 192.168.0.80 iburst
    
    sudo service ntp restart

    3. Configure Kerberos by editing /etc/krb5.conf

    sudo vim /etc/krb5.conf
    [libdefaults]
    	default_realm = LAB.LOCAL

    4. Create token for AD user who can join AD domain

    sudo kinit myuser

    5. Make changes to Samba configuration to reflect your AD domain. Edit /etc/samba/smb.conf file. Make sure you change entries below to reflect your domain.

    workgroup = LAB
    security = ADS
    realm = LAB.LOCAL
    encrypt passwords = yes
    

    6. Edit nsswitch.conf file and change it to use users and groups of AD. Edit following file /etc/nsswitch.conf

    sudo vi /etc/nsswitch.conf
    

    Make sure following entries present

    passwd:  compat winbind
    group:   compat winbind
    

    7. Join the domain LAB.LOCAL

    sudo net ads join -k
    

    8. Run update

    sudo pam-auth-update

    In our case all profiles are enabled.

    9. Restart services

    sudo service smbd restart
    sudo service nmbd restart
    sudo service winbind restart
    

    10. Run test to make sure AD synncronization working fine.

    wbinfo -u
    wbinfo -g
    wbinfo -i LAB
    getent passwd
    getent group
    

    SFTP Configuration
    Setting up SFTP in this environment is a little tricky. We will need to be very careful with permissions or users will get access denied and authentication errors.

    1. Edit /etc/ssh/sshd_config file and add lines below at the end of the file – It is very important that this lines added at the end.

    sudo vim /etc/ssh/sshd_config

    Add the following at the end

    Match Group testgrp
        ChrootDirectory %h
        ForceCommand internal-sftp
        AllowTcpForwarding no 
        AllowGroups testgrp
    

    2. Run getent passwd

    testusr:*:6107:5513:u1:/home/LAB/testusr:/bin/bash
    

    As you can see users home directories are under /home/LAB. Here is where we have to be really careful with permissions in order for setup to work properly.

    3. We issue the following commands first to setup proper permissions.

    sudo chown -R root:root /home
    sudo chmod -R 755 /home
    

    4. The last step is to create Public folder and assigh read rite permissions for our testusr

    mkdir -p /home/LAB/testusr/Public
    chown root:testgrp /home/LAB/testusr/Public
    chmod 775 /home/LAB/testusr/Public
    

    At this point each user should have read write access to there Public folder.