Setup SFTP on UBUNTU 16.x with Active Directory authentication

Posted On January 6, 2017

In this tutorial we will look into setting up sftp server for users on Ubuntu 16 which will be authenticating through Active Directory. This will be a two step process consisting of first connecting Ubuntu server to Active Directory and then setting up SFTP for AD users.


Lab environment

  • Active Directory 2012 R2 Domain Controller – 192.168.0.80
  • Ubuntu 16.1 server – 192.168.0.81
  • AD Domain – LAB.LOCAL
  • Windows AD testusr user with Administrative permission in Active Directory
  • Windows AD testgrp group in Active Directory with users that will need sftp acecss

    • Joining Ubuntu 16 to Active Directory
    1. Install necessary software 

    sudo apt-get -y install ntp vim ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

    When asked for domain name enter LAB.LOCAL

    2. Make sure both AD and SFTP server both have same NTP source. The must be same or Kerberos authentication will fail. In our case DC is the NTP server for both. You can add following line to your ntp.conf server

    sudo vim /etc/ntp.conf
srever 192.168.0.80 iburst

    sudo service ntp restart

    3. Configure Kerberos by editing /etc/krb5.conf

    sudo vim /etc/krb5.conf
    [libdefaults]
	default_realm = LAB.LOCAL

    4. Create token for AD user who can join AD domain

    sudo kinit myuser

    5. Make changes to Samba configuration to reflect your AD domain. Edit /etc/samba/smb.conf file. Make sure you change entries below to reflect your domain.

    workgroup = LAB
security = ADS
realm = LAB.LOCAL
encrypt passwords = yes

    6. Edit nsswitch.conf file and change it to use users and groups of AD. Edit following file /etc/nsswitch.conf

    sudo vi /etc/nsswitch.conf

    Make sure following entries present

    passwd:  compat winbind
group:   compat winbind

    7. Join the domain LAB.LOCAL

    sudo net ads join -k

    8. Run update 

    sudo pam-auth-update

    In our case all profiles are enabled.

    9. Restart services 

    sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart

    10. Run test to make sure AD synncronization working fine.

    wbinfo -u
wbinfo -g
wbinfo -i LAB
getent passwd
getent group

    SFTP Configuration
    Setting up SFTP in this environment is a little tricky. We will need to be very careful with permissions or users will get access denied and authentication errors.

    1. Edit /etc/ssh/sshd_config file and add lines below at the end of the file – It is very important that this lines added at the end. 

    sudo vim /etc/ssh/sshd_config

    Add the following at the end 

    Match Group testgrp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no 
    AllowGroups testgrp

    2. Run getent passwd

    testusr:*:6107:5513:u1:/home/LAB/testusr:/bin/bash

    As you can see users home directories are under /home/LAB. Here is where we have to be really careful with permissions in order for setup to work properly.

    3. We issue the following commands first to setup proper permissions. 

    sudo chown -R root:root /home
sudo chmod -R 755 /home

    4. The last step is to create Public folder and assigh read rite permissions for our testusr

    mkdir -p /home/LAB/testusr/Public
chown root:testgrp /home/LAB/testusr/Public
chmod 775 /home/LAB/testusr/Public

    At this point each user should have read write access to there Public folder.