Install and configure FTP for 4.3


#1

I only found one manual for 4.1 and many things that are available in 4.3 don’t fit.

I installed univention-ftp. But how to connect this to the users, how to set up rights for certain directories etc. seems to be different.


#2

Hey,

well, it isn’t that hard. Installing univention-ftp will do two things:

  1. It pulls in the actual FTP server package, proftpd.
  2. It opens the required ports in the firewall.

proftpd's default configuration uses PAM for authenticating users. The default configuration for FTP-with-PAM uses Univention’s Config Registry variables for restricting access to the service. By default only members of the Domain Admins group are allowed to connect. You can change that by modifying the corresponding UCR variables. For example:

  • In order to make an exception for a single user janedoe, you can set auth/ftp/user/janedoe=yes. Similarly for whole groups (see the link above).
  • If you want all users to be able to connect, you can turn off the restrictions for FTP completely by setting auth/ftp/restrict=no.

Permissions for files and directories are managed directly via file system permissions and ACLs. Alternatively you can modify the configuration for proftpd in order to allow or deny certain users and groups access to specific parts of the file system. This is outside of the scope of Univention, though. You can read up on proftpd's configuration over here.

Kind regards,
mosu


#3

I finally got around to dealing with it.
First of all I can log in now, but I only see a “windows-profiles”-directory.

I would like to assign the same directories and rights to the FTP users (there are only a few) that I created for the file shares of these users. What’s the most elegant way? I was hoping that this could be done via the UCS web interface, but I found nothing.


#4

We had a lot of problems with FTP, e.g. with users connecting from Hotel WiFi. I can recommend to use Nextcloud or if you prefer a simpler and probably more secure solution mysecureshell as SFTP server (which can be installed using apt install mysecureshell).


#5

As we have files sometimes bigger than 100MB ftp would be great. We do have a Nextcloud, but not with our smb-server and so there are only special files. What we need is a convinient way to access the shares with the same rights as local, but via ftp. So the question is: If I install sftp, how can I easily transfer the access-rights for a user to that.


#6

Hey,

both proftpd and mysecureshell (and most likely other such programs) use the usual file system ACLs, meaning there’s nothing to transfer from proftpd to mysecureshell. Granted, you can configure proftpd a lot in order to limit what users can do, but judging from your posts you’re running proftpd’s default configuration, meaning there is indeed nothing to transfer.

But maybe I misunderstood your question. What exactly do you mean? How to manage which users may log in via that method?

Kind regards
mosu


#7

It would be nice if it would be possible to give the access rights to the (s)ftp server that I have assigned to the users for the file shares (smb).
Then only define which users are allowed to access via (s)ftp.

Otherwise I would have to do this twice, i.e. set access rights for SMB and somewhere else which user can access which directory via FTP.

I would prefer it to be possible to manage this directly via the UCS interface, but that doesn’t seem to work?

I also don’t know yet how I can explain to the (s)ftp which directories a user is allowed to see. So far the home directory of the user opens after the logon and from there he cannot access the shares, which are not in his directory.

Translated with www.DeepL.com/Translator


#8

Hey,

This isn’t possible with any FTP/SFTP/other server that I know of. Samba’s permissions (via its configuration) are used solely by Samba, by nothing else. There isn’t any other software whose permission model maps directly to Samba’s permission model either, making this a rather moot point.

No matter which other piece of server software you’ll use for this task, you won’t be able to manage that via the Univention Management Console.

This depends on which software you use as your SFTP server. With OpenSSH’s SFTP implementation, you don’t have a lot of knobs to tweak. Instead you rely on changing the user’s shell to something like the aforementioned mysecureshell which you can configure in turn. If you use a different SFTP server (e.g. proftpd which can not only to old FTP but SFTP as well), you may have a lot more control over permissions and such things.

I suggest you read up on the documentation for mysecureshell in order to get a feeling of what you can do with such software.

Kind regards
mosu


#9

Ok … thats not what I like, but then I have to deal with it.
THX