I am trying to set up a FTP server that authenticates against an LDAP server. This part is done and works. My server is VsFTPd on Ubuntu Server 11.04. But I have to create the home directories for my LDAP users. I am trying to user the pam_mkhomedir module but it is not working: when I add its line to the /etc/pam.d/vsftpd file, my users can not login anymore to the FTP server. The problem is that I have very few information on what is wrong. VsFTPd just responds 530: login incorrect and I could not find a way to get debug or error messages from pam_mkhomedir.

Here are my different configuration files. The /etc/pam.d/vsftpd file:

auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth        required    pam_ldap.so
account     required    pam_ldap.so
password    required    pam_ldap.so
session     optional    pam_mkhomedir.so skel=/home/skel debug

The /etc/vsftpd.conf file:


Permissions on /home and /home/skel:

root@ftp:/home# ls -al
total 16
drwxrwxrwx  4 root     root     4096 2011-10-11 21:19 .
drwxr-xr-x 21 root     root     4096 2011-09-27 13:32 ..
drwxrwxrwx  2 root     root     4096 2011-10-11 19:34 skel
drwxrwxrwx  5 foo      foo      4096 2011-10-11 21:11 foo

root@ftp:/home# ls -al skel/
total 16
drwxrwxrwx 2 root root 4096 2011-10-11 19:34 .
drwxrwxrwx 4 root root 4096 2011-10-11 21:19 ..
-rwxrwxrwx 1 root root 3352 2011-10-11 19:34 .bashrc
-rwxrwxrwx 1 root root  675 2011-10-11 19:34 .profile

Yes, I know, permissions are not properly set but security is not the issue here: I first need to get it to work.

So, to recapitulate: without pam_mkhomedir my LDAP users can login, but they cannot do anything because they are in an empty chrooted jail. If I add pam_mkhomedir, they cannot login anymore. If anyone has an idea why, or know how to get more information from logs, I would be very grateful, thanks.

  • 3,239
  • 3
  • 19
  • 40
  • 95
  • 1
  • 3
  • 9
  • I would suggest you set the log level to 128 in slapd.conf (or ldap.conf) on the ldap server and confirm that you are actually authenicating against LDAP. As I pointed out in http://serverfault.com/questions/318622/vsftpd-ldap-pam, using guest_enable means that ftp will login as the FTP user on the user, which meant that you will not likely to login as the ldap user. This error seems the confirm that. – Rilindo Oct 11 '11 at 20:05
  • Hmm, I misunderstood what you said on the previous thread then. I will look into that now. Thanks. – Totor Oct 11 '11 at 20:13
  • Here is my LDAP log (on the LDAP server) for a login on the FTP server: http://pastebin.com/WzHUaQmC I am not very sure how to read it, but it seems to me that it is OK, no? – Totor Oct 11 '11 at 20:49
  • Actually, my users were not a "posixAccount" class object in the LDAP server, resulting in some problems later on. – Totor Oct 11 '11 at 22:30
  • That seems right. Can we get the output of /var/log/secure and /var/log/messages (particularly the former)? – Rilindo Oct 12 '11 at 00:21
  • OK, so the problem was definitely the class of the LDAP users. The binding was working, but VsFTPd needs a posixAccount. So, as you said, with guest_enable, it defaulted to a ftp user. – Totor Oct 12 '11 at 19:49

3 Answers3


Simple answer - it is necessary enable session support in vsftpd.conf:

  • 114,104
  • 20
  • 206
  • 289
  • 41
  • 1

Perhaps not directly relevant to vsftpd, but something I ran across with SFTP is that pam_mkhomedir.so creates the homedir owned by the user:group - naturally, even if the skel files are owned by root. But chroot with SFTP wants root:root to own the chroot homedir for security reasons (with permissions 755). Even with the skel files owned by root.


Take a look at /var/log/audit.log, you will see something like this:

type=USER_START msg=audit(1290252247.771:1669772): user pid=20068 uid=0 auid=0 msg='PAM: session open acct="quanta" : exe="/usr/sbin/vsftpd" (hostname=SVR040-763.localdomain, addr=, terminal=ftp res=failed)'

So, change the /etc/pam.d/vsftpd to:

auth       sufficient   pam_ldap.so     
account    sufficient   pam_ldap.so
password   sufficient   pam_ldap.so     
session    sufficient   pam_ldap.so     
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0022

and try again.

If you still get the errors: "500 OOPS: cannot locate user entry:", "500 OOPS: cannot change directory:", I suggest you using autodir instead.

  • 50,327
  • 19
  • 152
  • 213