Putting vsftpd homes on Windows AD share

Question

I have external clients who upload/download files via vsftpd FTP on Ubuntu 18.04. They use linux accounts(not virtual), are chrooted and only need (and do) see under their own directories.

Now, their homes need to be somehow accessible from Windows for viewing and possibly editing uploads by our app admins and specific app operators, who are regular Windows AD users.

I would like to move their whole /home from a Windows AD share on our fileserver and make accessible by specific AD security groups, but I am not sure whether this will work with linux permissions? I explicitly would like to avoid sharing Ubuntu folders over network.

The idea:

• mount /home as CIFS share from AD fileserver.

• vsftpd -- FTP users chroot to mounted /home -- each can read/write their own dir

• Windows AD users -- can see the directories under Windows on their existing share, with proper AD security group can read/write any file under any home subdir

Would this work? If not, what else can I do? Maybe I need to move to virtual vsftpd users?

I have a couple CIFS shares mounted on Ubuntu already, but they all map to single uid/gid and I am not sure will/how vsftpd would work with the above setup.

Answer 1

Guessing here, but I would try 3 ways:

1. Using AD users on Linux (maybe by using SSSD)
2. Using Virtual Users on vsftpd (I think you'll need to ensure CIFS mounted filesystem files are owned by vsftpd user)
3. Doing the oposite: Install Samba and make admins & opers access file through it (the simpler solution IMHO)

Answer 2

Turns out, even mix of virtual and actual users works! The guide is for Ubuntu 18.04 LTS, but should work on other Linuxes as well, although the file locations may change.

So, one way of doing it is this:

1. Create an appropriate directory on your CIFS server and set a single AD user with proper rights on it (eg. unix_server_user@domain).
2. Mount the CIFS share with the AD rights of unix_server_user and local user mapped to VSFTPD server user. /etc/fstab:

//Your_CIFS_Server/share /mnt/cifs_homes cifs credentials=/etc/your_AD_password_data_file,uid=ftpuser,gid=ftpusers,file_mode=0770,dir_mode=0770 0 0

Obviously don't forget to set the password file to be only root accessible for some minor security bonus.

3. /etc/vsftpd.conf should have at least these lines:

local_enable=YES nopriv_user=ftpuser chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd user_config_dir=/etc/vsftpd.userconf

4. You need to modify /etc/pam.d/vsftpd to support both virtual and local users:

Virtual users: auth sufficient pam_pwdfile.so pwdfile /etc/vsftpd.passwd account sufficient pam_permit.so

Adding virtual users is done via htpasswd -d command on the /etc/vsftpd.passwd file. This file also can be root access only for some minor measure of security.

Note that pam_pwdfile appears to support only CRYPT encryption of vsftpd.passwd file when using htpasswd, which is not secure, so you should generate passwords with openssl as described in link, or in addition use at least SSL or IP address restriction for FTP access.

Local users:

auth required pam_shells.so

All of those lines should be present along with the usual @include common-* lines and whatever else you need in vsftpd pam file.

Add files for every local and virtual user in /etc/vsftpd.conf/ named as the user.

The local user should have just the normal values of idle_session_timeout or whatever you need. His homedir will be the usual /home or whatever is set in /etc/passwd.

The virtual users should have in addition to whatever you need for local user, these lines:

chroot_local_user=YES local_root=/mnt/cifs_homes/$USER user_sub_token=$USER virtual_use_local_privs=YES guest_enable=YES nopriv_user=ftpuser guest_username=ftpusers

What you get in end is:

1) From Windows side, access is controlled with whatever AD users and groups you set AD permissions on it. Just keep in mind unix_server_user@domain should have write access to it, unless you want read-only FTP.

2) From Unix all virtual users access is mapped to ftpuser.ftpusers. Local users use Unix server /home as usual.

3) All FTP logins have chroot to their respective homedir and can read and write in it.