vsftpd, winbind, and opensuse 10.3

Hi,

I am attempting to get vsftpd working and authenticating against Active Directory. I was able to join my domain during the 10.3 install and am able to login with AD users at the console. That part is working great. What’s not working so good is ftp access.

I am able to connect to ftp no problems but am unable to authenticate with an AD user. I am able to authenticate with a local user so it’s almost as if my vsftpd pam file is incorrect for winbind. I’ve followed various tutorials and how-to’s on vsftpd, winbind, and pam but have not had any success.

I have since went back to the orignal pam.d files and am starting again from square one.

Here is my current vsftpd pam file:

#%PAM-1.0

Uncomment this to achieve what used to be ftpd -A.

auth required pam_listfile.so item=user sense=allow file=/etc/ftpchroot onerr=fail

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

Uncomment the following line for anonymous ftp.

#auth sufficient pam_ftp.so
auth sufficient pam_shells.so debug
auth include common-auth debug
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session

common-auth file contains these three lines:
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass

common-account file:
account requisite pam_unix2.so
account sufficient pam_localuser.so
account required pam_winbind.so use_first_pass

common-password file:
password sufficient pam_winbind.so
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so use_authtok nullok

common-session file:
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session required pam_winbind.so
session optional pam_umask.so

I tried tailing /var/messages while attempting to authenticate to vsftp. I can tell that it is successfully searching AD for the username, when I enter a non existent user the log file shows no such user, PAM error was User not know to underlying authentication module, NT error was NT_STATUS_NO_SUCH_USER.

When I try and authenticate with a user that is in AD I get the following:

[pid 4906] CONNECT: Client “127.0.0.1”
[pid 4906] FTP response: Client “127.0.0.1”, “220 Welcom to FTP”
[pid 4906] FTP command: Client “127.0.0.1”, “USER testuser”
[pid 4906] [testuser] FTP response: Client “127.0.0.1”, “331 Please specify the password.”
[pid 4906] [testuser] FTP command: Client “127.0.0.1”, “PASS <password>”
sftp vsftpd: pam_winbind(vsftpd:auth): getting password (0x00000380)

[pid 4905] [testuser] FAIL LOGIN: Client “127.0.0.1”
[pid 4906] [testuser] FTP response: Client “127.0.0.1”, “530 Login incorrect.”

wbinfo -u and wbinfo -g both work and I double check if I had successfully joined the domain with net ads testjoin which returns Join is OK

I’ve also looked at log.winbindd but that file contained nothing indicating any errors.

I’m not sure where or what else to look for. It leaves me scratching my head a bit as gnome is using the same pam.d files and is able to auth against AD just fine.
So at this point any suggestions appreciated!
Thanks,
Cy.

It may be a passive or not ftp issue. Try both methods and see if one may work.

Thanks for the suggestion, not sure that’s it as I am able to connect with a local user account.

Just am not able to authenticate with an active directory domain account.

With a bit of rereading of the Samba docs I resolved my problem. I’m posting the solution as it’s annoying to find a post related to your problem with no solution.

Anyhow there was actually no problem. I was just not aware that users have to login using domain\username as their username.

I was a bit lost as the PAM messages in /var/log/messages appeared as if winbind had been able to find the domain user account.

Side note, I also found you can eliminate the need to login with domain\username by setting the winbind use default domain option in the smb.conf file.