Turns out, even mix of virtual and actual users works! The guide is for Ubuntu 18.04 LTS, but should work on other Linuxes as well, although the file locations may change.
So, one way of doing it is this:
- Create an appropriate directory on your CIFS server and set a single AD user with proper rights on it (eg. unix_server_user@domain).
- Mount the CIFS share with the AD rights of unix_server_user and local user mapped to VSFTPD server user.
/etc/fstab
:
//Your_CIFS_Server/share /mnt/cifs_homes cifs credentials=/etc/your_AD_password_data_file,uid=ftpuser,gid=ftpusers,file_mode=0770,dir_mode=0770 0 0
Obviously don't forget to set the password file to be only root accessible for some minor security bonus.
/etc/vsftpd.conf
should have at least these lines:
local_enable=YES
nopriv_user=ftpuser
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
user_config_dir=/etc/vsftpd.userconf
- You need to modify
/etc/pam.d/vsftpd
to support both virtual and local users:
Virtual users:
auth sufficient pam_pwdfile.so pwdfile /etc/vsftpd.passwd
account sufficient pam_permit.so
Adding virtual users is done via htpasswd -d
command on the /etc/vsftpd.passwd file. This file also can be root access only for some minor measure of security.
Note that pam_pwdfile appears to support only CRYPT encryption of vsftpd.passwd file when using htpasswd, which is not secure, so you should generate passwords with openssl as described in link, or in addition use at least SSL or IP address restriction for FTP access.
Local users:
auth required pam_shells.so
All of those lines should be present along with the usual @include common-* lines and whatever else you need in vsftpd pam file.
Add files for every local and virtual user in /etc/vsftpd.conf/ named as the user.
The local user should have just the normal values of idle_session_timeout or whatever you need. His homedir will be the usual /home or whatever is set in /etc/passwd.
The virtual users should have in addition to whatever you need for local user, these lines:
chroot_local_user=YES
local_root=/mnt/cifs_homes/$USER
user_sub_token=$USER
virtual_use_local_privs=YES
guest_enable=YES
nopriv_user=ftpuser
guest_username=ftpusers
What you get in end is:
1) From Windows side, access is controlled with whatever AD users and groups you set AD permissions on it. Just keep in mind unix_server_user@domain should have write access to it, unless you want read-only FTP.
2) From Unix all virtual users access is mapped to ftpuser.ftpusers. Local users use Unix server /home as usual.
3) All FTP logins have chroot to their respective homedir and can read and write in it.