In this tutorial we will look into setting up sftp server for users on Ubuntu 16 which will be authenticating through Active Directory. This will be a two step process consisting of first connecting Ubuntu server to Active Directory and then setting up SFTP for AD users.
Joining Ubuntu 16 to Active Directory
1. Install necessary software
sudo apt-get -y install ntp vim ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user
When asked for domain name enter LAB.LOCAL
2. Make sure both AD and SFTP server both have same NTP source. The must be same or Kerberos authentication will fail. In our case DC is the NTP server for both. You can add following line to your ntp.conf server
sudo vim /etc/ntp.conf srever 192.168.0.80 iburst
sudo service ntp restart
3. Configure Kerberos by editing /etc/krb5.conf
sudo vim /etc/krb5.conf
[libdefaults] default_realm = LAB.LOCAL
4. Create token for AD user who can join AD domain
sudo kinit myuser
5. Make changes to Samba configuration to reflect your AD domain. Edit /etc/samba/smb.conf file. Make sure you change entries below to reflect your domain.
workgroup = LAB security = ADS realm = LAB.LOCAL encrypt passwords = yes
6. Edit nsswitch.conf file and change it to use users and groups of AD. Edit following file /etc/nsswitch.conf
sudo vi /etc/nsswitch.conf
Make sure following entries present
passwd: compat winbind group: compat winbind
7. Join the domain LAB.LOCAL
sudo net ads join -k
8. Run update
In our case all profiles are enabled.
9. Restart services
sudo service smbd restart sudo service nmbd restart sudo service winbind restart
10. Run test to make sure AD synncronization working fine.
wbinfo -u wbinfo -g wbinfo -i LAB getent passwd getent group
Setting up SFTP in this environment is a little tricky. We will need to be very careful with permissions or users will get access denied and authentication errors.
1. Edit /etc/ssh/sshd_config file and add lines below at the end of the file – It is very important that this lines added at the end.
sudo vim /etc/ssh/sshd_config
Add the following at the end
Match Group testgrp ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no AllowGroups testgrp
2. Run getent passwd
As you can see users home directories are under /home/LAB. Here is where we have to be really careful with permissions in order for setup to work properly.
3. We issue the following commands first to setup proper permissions.
sudo chown -R root:root /home sudo chmod -R 755 /home
4. The last step is to create Public folder and assigh read rite permissions for our testusr
mkdir -p /home/LAB/testusr/Public chown root:testgrp /home/LAB/testusr/Public chmod 775 /home/LAB/testusr/Public
At this point each user should have read write access to there Public folder.