Setup SFTP on UBUNTU 16.x with Active Directory authentication

Posted On January 6, 2017

In this tutorial we will look into setting up sftp server for users on Ubuntu 16 which will be authenticating through Active Directory. This will be a two step process consisting of first connecting Ubuntu server to Active Directory and then setting up SFTP for AD users.

Lab environment

Active Directory 2012 R2 Domain Controller – 192.168.0.80

Ubuntu 16.1 server – 192.168.0.81

AD Domain – LAB.LOCAL

Windows AD testusr user with Administrative permission in Active Directory

Windows AD testgrp group in Active Directory with users that will need sftp acecss

Joining Ubuntu 16 to Active Directory
1. Install necessary software

sudo apt-get -y install ntp vim ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user

When asked for domain name enter LAB.LOCAL

2. Make sure both AD and SFTP server both have same NTP source. The must be same or Kerberos authentication will fail. In our case DC is the NTP server for both. You can add following line to your ntp.conf server

sudo vim /etc/ntp.conf
srever 192.168.0.80 iburst

sudo service ntp restart

3. Configure Kerberos by editing /etc/krb5.conf

sudo vim /etc/krb5.conf

[libdefaults]
	default_realm = LAB.LOCAL

4. Create token for AD user who can join AD domain

sudo kinit myuser

5. Make changes to Samba configuration to reflect your AD domain. Edit /etc/samba/smb.conf file. Make sure you change entries below to reflect your domain.

workgroup = LAB
security = ADS
realm = LAB.LOCAL
encrypt passwords = yes

6. Edit nsswitch.conf file and change it to use users and groups of AD. Edit following file /etc/nsswitch.conf

sudo vi /etc/nsswitch.conf

Make sure following entries present

passwd:  compat winbind
group:   compat winbind

7. Join the domain LAB.LOCAL

sudo net ads join -k

8. Run update

sudo pam-auth-update

In our case all profiles are enabled.

9. Restart services

sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart

10. Run test to make sure AD synncronization working fine.

wbinfo -u
wbinfo -g
wbinfo -i LAB
getent passwd
getent group

SFTP Configuration
Setting up SFTP in this environment is a little tricky. We will need to be very careful with permissions or users will get access denied and authentication errors.

1. Edit /etc/ssh/sshd_config file and add lines below at the end of the file – It is very important that this lines added at the end.

sudo vim /etc/ssh/sshd_config

Add the following at the end

Match Group testgrp
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no 
    AllowGroups testgrp

2. Run getent passwd

testusr:*:6107:5513:u1:/home/LAB/testusr:/bin/bash

As you can see users home directories are under /home/LAB. Here is where we have to be really careful with permissions in order for setup to work properly.

3. We issue the following commands first to setup proper permissions.

sudo chown -R root:root /home
sudo chmod -R 755 /home

4. The last step is to create Public folder and assigh read rite permissions for our testusr

mkdir -p /home/LAB/testusr/Public
chown root:testgrp /home/LAB/testusr/Public
chmod 775 /home/LAB/testusr/Public

At this point each user should have read write access to there Public folder.