Packetwatch.net

ProFTPD with Active Directory in FreeBSD



Last modified: Feb. 20, 2010

Contents
1 - Summary
2 - Dependencies
3 - ProFTPD installation
4 - Service configuration
5 - Service check


1 - Summary

This guide will show how to install proftpd in FreeBSD. ProFTPD is FTP server
software. In this guide, the FreeBSD computer is already joined to a Windows
2003 Active Directory domain so it will be able to use authentication and
security permissions using Active Directory. This has been tested in FreeBSD
8.0.


2 - Dependencies

In this example we will be using Test.local for the Active Directory domain.
This assumes that the computer already has samba configured to use Active
Directory. The partition where the ftp site is stored needs to have ACL's
enabled on it. Here is what it looks like by default.
# mount | grep /data
/dev/ad0s1h on /data (ufs, local, soft-updates)

Modify /etc/fstab to have acls on the /data partition.
  /dev/ad0s1h             /data           ufs     rw,acls         2       2
# sudo cp /etc/fstab /etc/fstab.original
Password:
# sudo vi /etc/fstab
Password:
# sudo shutdown -r now
Password:
# mount | grep /data
/dev/ad0s1h on /data (ufs, local, soft-updates, acls)


3 - ProFTPD installation

# sudo pkg_add -r proftpd
Password:


4 - Service configuration

Find where the proftpd daemon was installed to.
# pkg_info -L proftpd-* | grep sbin
/usr/local/sbin/ftpshut
/usr/local/sbin/in.proftpd
/usr/local/sbin/proftpd

Edit /etc/rc.conf.local so that the proftpd service will start when the system
starts up. Somewhere in the file add the following.
  proftpd_enable="YES"
# sudo vi /etc/rc.conf.local
Password:

Find where the configuration file should be put.
# pkg_info -L proftpd-* | grep rc.d
/usr/local/etc/rc.d/proftpd
# grep proftpd.conf /usr/local/etc/rc.d/proftpd 
required_files=/usr/local/etc/proftpd.conf
# strings /usr/local/sbin/proftpd | grep proftpd.conf
/usr/local/etc/proftpd.conf
      /usr/local/etc/proftpd.conf

You can create your own configuration file. Here is a simple example.
Afterwards, check the syntax.
  AllowOverwrite on
  AllowStoreRestart on
  DefaultAddress server
  DefaultRoot /data/shares/backups/
  DefaultServer on
  DelayEngine off
  DisplayLogin /etc/motd
  DisplayConnect /etc/issue
  ExtendedLog /var/log/proftpd_extended.log
  Group nogroup
  IdentLookups off
  MaxClients 20
  MaxInstances 30
  Port 21
  RequireValidShell off
  ServerIdent on "FTP server ready"
  ServerName server
  ScoreboardFile /var/run/proftpd.scoreboard
  SyslogFacility AUTH
  SyslogLevel INFO
  Umask 077 022
  UseIPv6 off
  User nobody
  UseReverseDNS off

  <Limit LOGIN>
  AllowUser backups
  DenyALL
  </Limit>
# pkg_info -L proftpd-* | grep proftpd.conf
/usr/local/etc/proftpd.conf.sample
/usr/local/include/proftpd/conf.h
/usr/local/include/proftpd/config.h
# sudo cp /usr/local/etc/proftpd.conf.sample /usr/local/etc/proftpd.conf
Password:
# sudo cp /usr/local/etc/proftpd.conf /usr/local/etc/proftpd.conf.example
Password:
# sudo vi /usr/local/etc/proftpd.conf
Password:
# sudo /usr/local/sbin/proftpd -t -c /usr/local/etc/proftpd.conf
Password:
Checking syntax of configuration file
 - setting default address to 192.168.1.50
Syntax check complete.

Set the permissions for the directory.
# sudo mkdir -p /data/shares/backups/server.test.local/
Password:
# sudo chown -R "Administrator":"Domain Users" /data/shares/backups/
Password:
# ls -l /data/shares/
total 2
drwxr-xr-x  2 administrator  domain users  512 Feb 12 11:30 backups
# cd /data/shares/
# ls -l
total 2
drwxr-xr-x  15 administrator  domain users  512 Feb 12 12:28 backups
# cd backups/
# ls -l
total 26
drwxr-xr-x  2 administrator  domain users  512 Feb 12 12:28 server.test.local
# sudo setfacl -m u:backups:rwx server.test.local/
Password:
# getfacl server.test.local/
# file: server.test.local/
# owner: administrator
# group: domain users
user::rwx
user:backups:rwx
group::r-x
mask::rwx
other::r-x

Modify the pam file for ftp to allow it to use Active Directory accounts.
  auth            sufficient      /usr/local/lib/pam_winbind.so
# pkg_info -L samba* | grep pam_winbind.so
/usr/local/lib/pam_winbind.so
# sudo cp /etc/pam.d/ftp /etc/pam.d/ftp.original
Password:
# sudo vi /etc/pam.d/ftp
Password:

Start the proftpd service.
# sudo /usr/local/etc/rc.d/proftpd start
Password:
Starting proftpd.
 - setting default address to 192.168.1.50
# sudo cat /var/run/proftpd.pid 
Password:
1450


5 - Service check

Reboot your computer. Log in like normal and check to see that the proftpd
service is running. That's it, now you have proftpd with Active Directory
running in FreeBSD.
# sudo shutdown -r now
Password:
# sudo /usr/local/etc/rc.d/proftpd status
Password:
proftpd is running as pid 598.


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.