In this tutorial we will look into setting up sftp server for users on Ubuntu 16 which will be authenticating through Active Directory. This will be a two step process consisting of first connecting Ubuntu server to Active Directory and then setting up SFTP for AD users.
Active Directory 2012 R2 Domain Controller – 192.168.0.80
Ubuntu 16.1 server – 192.168.0.81
AD Domain – LAB.LOCAL
Windows AD testusr user with Administrative permission in Active Directory
Windows AD testgrp group in Active Directory with users that will need sftp acecss
Joining Ubuntu 16 to Active Directory
1. Install necessary software
sudo apt-get -y install ntp vim ntpdate winbind samba libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user
When asked for domain name enter LAB.LOCAL
2. Make sure both AD and SFTP server both have same NTP source. The must be same or Kerberos authentication will fail. In our case DC is the NTP server for both. You can add following line to your ntp.conf server
sudo vim /etc/ntp.conf
srever 192.168.0.80 iburst
sudo service ntp restart
3. Configure Kerberos by editing /etc/krb5.conf
sudo vim /etc/krb5.conf
default_realm = LAB.LOCAL
4. Create token for AD user who can join AD domain
sudo kinit myuser
5. Make changes to Samba configuration to reflect your AD domain. Edit /etc/samba/smb.conf file. Make sure you change entries below to reflect your domain.
workgroup = LAB
security = ADS
realm = LAB.LOCAL
encrypt passwords = yes
6. Edit nsswitch.conf file and change it to use users and groups of AD. Edit following file /etc/nsswitch.conf
sudo vi /etc/nsswitch.conf
Make sure following entries present
passwd: compat winbind
group: compat winbind
7. Join the domain LAB.LOCAL
sudo net ads join -k
8. Run update
In our case all profiles are enabled.
9. Restart services
sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart
10. Run test to make sure AD synncronization working fine.
wbinfo -i LAB
Setting up SFTP in this environment is a little tricky. We will need to be very careful with permissions or users will get access denied and authentication errors.
1. Edit /etc/ssh/sshd_config file and add lines below at the end of the file – It is very important that this lines added at the end.
sudo vim /etc/ssh/sshd_config
Add the following at the end
Match Group testgrp
2. Run getent passwd
As you can see users home directories are under /home/LAB. Here is where we have to be really careful with permissions in order for setup to work properly.
3. We issue the following commands first to setup proper permissions.
sudo chown -R root:root /home
sudo chmod -R 755 /home
4. The last step is to create Public folder and assigh read rite permissions for our testusr
mkdir -p /home/LAB/testusr/Public
chown root:testgrp /home/LAB/testusr/Public
chmod 775 /home/LAB/testusr/Public
At this point each user should have read write access to there Public folder.