FTP and Web server

Purpose

The server will allow users to login, upload files to their home directory and have these published as a website.

It was created to allow students taking the BTEC ICT course to be able to complete the Web Development unit which involved uploading files to a web space using FTP.

Overview

The Ubunbut 6.06 LTS server uses Samba and winbind to integrate with the existing domain controllers and provide user authentication.

Vsftpd is used as the FTP daemon, which I found to be better-behaved than ProFTPd in this instance. Vsftpd relies on PAM for authentication, which in turn uses the pam_winbind module to lookup usernames. Unfortunately, the mkhomedir module wouldn't work for Vsftpd (works fine with console/ssh though); so a bash script is used to create the home directories (cron'd to handle new users).

Apache is then configured with mod_homedir to serve out home directories containing web pages. It's probably possible to use Lighttpd instead of Apache to cut down on resources but I haven't tried it.

Building the server

Note: To carry out these tasks you will mostly need to be root. I recommend typing sudo -s followed by your password to save prefacing every command with sudo.

It also goes without saying that you should backup any files before you edit them :-)

Configure packages

First, edit /etc/apt/sources.list and un-comment the repositories that are disabled by default (lines containing http: that begin with a #). Then update APT's sources then do an upgrade.

# nano /etc/apt/sources.list
# apt-get update && apt-get upgrade

You will then need to install the new packages (optional but recommended packages are marked with an asterisk):

  • samba
  • winbind
  • vsftpd
  • ssh*
  • ntpdate*
  • rcconf*
# apt-get install samba winbind vsftpd ssh ntpdate rcconf

Configuring Samba

Here is a copy of the /etc/samba/smb.conf file I used. Parts of it were copied from an old installation, so some of it may not be necessary. I've commented the lines you need to change to match your establishment.

[global]
  ; CHANGE THIS - your domain
  workgroup = BBARRINGTON
  server string = %h server (Samba, Ubuntu)
  dns proxy = no
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = domain
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  invalid users = root
  socket options = TCP_NODELAY
  domain master = no
  ; Winbind stuff
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  template shell = /bin/bash
  winbind use default domain=yes
  winbind enum users = yes
  winbind enum groups = yes
  template shell = /bin/bash
  ; CHANGE THIS - your domain controller
  password server = bbs-svr-001

To help with DC lookups, I added the DCs to /etc/hosts:

10.0.0.2    bbs-svr-001.bbarrington.internal    bbs-svr-001
10.0.0.3    bbs-svr-002.bbarrington.internal    bbs-svr-002

Edit Name Server Switch

You will now need to modify /etc/nsswitch.conf so that Linux will look to the domain for users & groups. Simply add 'winbind' to the end of the passwd and group lines:

passwd:         compat winbind
group:          compat winbind
shadow:         compat

Join the server to the domain

Now time to join the server to the domain. Good idea to restart the Samba services at this point and/or reboot the server.

# /etc/init.d/samba restart && /etc/init.d/winbind restart

Now join the domain, replacing bbs-svr-001, administrator and password with the appropriate information.

# net rpc join -S bbs-svr-001 -Uadministrator%password

You should receive a message like 'Joined domain BBARRINGTON' (whatever your domain is called). If this fails you may need to add -D domain_name to the end of the net rpc join command.

Test the join

There are several commands you can run to check the server joined the DC correctly and that Winbind is working.

Command What it does
wbinfo -u List all domain users
wbinfo -g List all domain groups
getent passwd Get the entries in the linux database to check it's picking up domain users
getent group As above, but for domain groups
wbinfo -a user%pass Authenticate a (domain) username and password combination

Home Directories

When you run getent passwd, each user's home directory should be displayed in the output, Eg. /home/DOMAIN/username. You will need to create and set the appropriate permissions on /home/DOMAIN (remember apache will need to read these later on).

# mkdir /home/BBARRINGTON
# chown www-data /home/BBARRINGTON
# chgrp "Domain Users" /home/BBARRINGTON

Configure Vsftpd

Now the link between the server and the DC is okay, we can concentrate on the FTP and Web side of it

Edit the Vsftpd PAM file to enable Winbind authentication: /etc/pam.d/vsftpd. Add these lines to the top of the file:

auth       sufficient    pam_winbind.so
account    sufficient    pam_winbind.so

Vsftpd doesn't need that much configuring, by /etc/vsftpd.conf is below.

By default, vsftpd is configured for anonymous logins only - setting local_enable to YES is a must. chroot_local_user is also advised.

deny_file={*.exe,*.zip,*.rar,*.mpg,*.mpeg,*.avi,*.mov}
hide_file={*.exe,*.zip,*.rar,*.mpg,*.mpeg,*.avi,*.mov}
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd-xfer.log
xferlog_std_format=YES
ftpd_banner=Welcome to the Bishop Barrington School BTEC FTP Server.
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Restart vsftpd:

# /etc/init.d/vsftpd restart

At the moment, the FTP server should accept and authenticate logins, but will not fully log in due to home directories not being accessible for domain users - we'll get on to that shortly.

Configure Apache

If the UserDir module is not enabled, run a2enmod to enable it:

# a2enmod userdir

Now you will need to edit /etc/apache2/sites-enabled/000-default and add the following (between –USERDIR) and replace the home directory path with yours.

NameVirtualHost *
<VirtualHost *>
    ServerAdmin craig.rodway@bishopbarrington.net
 
    # -- USERDIR
    UserDir /home/BBARRINGTON/*
    <Directory /home/BBARRINGTON/*/>
        DirectoryIndex index.htm index.html default.htm default.html Default.htm Default.html
        allow from all
        Options Indexes
    </Directory>
    # -- USERDIR
 
    # Rest of file omitted.

Create Home Directories script

Create the file /usr/local/sbin/homedirs.sh and add the following (replacing BBARRINGTON with your domain).

:!: NOTE Computer account names (ending in $) and usernames without dots are omitted

#!/bin/sh
for user in $( wbinfo -u|grep -v [$]|grep [.] );
do
    dir="/home/BBARRINGTON/$user";
 
    if [ -d $dir ]; then
        echo "$user: Already has a homedir, skipping."
    else
        echo "$user: Doesn't have a homedir, creating."
        mkdir $dir;
        echo "$user: Setting permissions."
        chown $user $dir
        chgrp "Domain Users" $dir
        chmod 664 $dir
    fi
done

Then allow execute and (optionally) add to cron:

# chmod +x homedirs.sh
# ln -s /usr/local/sbin/homedirs.sh /etc/cron.daily/homedirs.sh

References

howto/linuxftpserver.txt · Last modified: 2011/01/17 09:59 (external edit)
www.chimeric.de Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0