napp-it ProFTP how to authenticate user against 2008 Active Directory

KarlMayer

New Member
Jul 29, 2015
1
0
1
37
we run OmniOS 151016 with the last napp-it release.
User Authentication goes throgh a Windows Server 2008R2 AD.
We created a admin user in active directory and gave the user full access on every share, using the ACL Extension Wizard in napp-it.
the read and write rights are given by this admin user on a windows console to every active directory user individual.
We do not use idmap on solaris side to minimize the administrative efforts.
on chekcing the ACL per console the AD SIDs are showm.
Environment is up and running and authentication works as good as well. (hangs sometimes for example with Acronis when trying to run Backups with the boot media, but thats another thing)

How works the authentication with ProFTP?
Right now with the basic proftp configuration our AD users cant connect to their home directorys, and how does it works to authenticate our ad users on proftp?
reads proftp the CIFS/ZFS ACL?
Please let me know which further informations you need to geive me a hint or a configuration example, many thanks for your efforts.

the standard proftp configuration:
This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName → → → "ProFTPD Default Installation"
ServerType → → → standalone
DefaultServer → → → on

# Port 21 is the standard FTP port.
Port → → → → 21

# Don't use IPv6 support by default.
UseIPv6 → → → → off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask → → → → 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances → → → 30

# Set the user and group under which the server will run.
User → → → → nobody
Group → → → → nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite → → on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User → → → → ftp
Group → → → → ftp

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias → → → anonymous ftp

# Limit the maximum number of anonymous logins
MaxClients → → → 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin → → → welcome.msg
DisplayChdir → → → .message

# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
 
Last edited:

gea

Well-Known Member
Dec 31, 2010
2,472
834
113
DE
There is no simple way to use AD accounts for ProFTP and there is no way for ProFTP
to be aware of the Windows ACL (with Windows SID and Windows ACL inheritance).

The best solution if you need ftp with AD users where Windows ACL are minded
is using the ftp server on Windows Server with the ftp folder as a share on OmniOS/ZFS.