SFTP AD authentication and incorrect home directory

andyr · Post by **andyr** » Sun Apr 20, 2008 12:16 am

I want an SFTP drop zone controlled using AD accounts and NTFS permissions. I don't want to use individual home directories, just the base directory. Problem is that the SFTP & AD authentication combination does not seem to allow this. I have documented my tests below:

I first created a Coreftp user called "ftpuser" with home directory locked to the base directory (SFTPRoot) and full permissions (except execute). NTFS permissions on base directory is set to Everyone Full Control for the moment.

**Test 1**: SFTP connection with AD authentication
Enable Active Directory users: checked
User settings to use: ftpuser
Ignore AD home directory: checked
Use Windows domain: TEST
Use base directory + username: unchecked
**Result**: Authentication is successful but base directory is set to coreftp program directory which the user will not have rights to. Error line in coreftp log is:
LIST denied - /C:/Program Files/CoreFTPServer/

**Test 2**: SFTP connection with NT authentication
Enable WinNT users: checked
User settings to use: ftpuser
Use Windows domain: TEST
Use base directory + username: unchecked
**Result**: Authentication is successful, base directory is set successfully to the root directory as desired.

**Test 3**: FTP connection with AD authentication
Enable Active Directory users: checked
User settings to use: ftpuser
Ignore AD home directory: checked
Use Windows domain: TEST
Use base directory + username: unchecked
**Result**: Authentication is successful, base directory is set successfully to the root directory as desired.

I may be able to get away with using WinNT authentication to the W2003 AD domains, but it's not ideal. Is this a known problem or something to do with my setup?

thanks,
Andy.

grimanvil · Post by **grimanvil** » Mon May 19, 2008 11:18 pm

It seems to work for all 'domain local' users. But I want to use a specific local or domain group .i.e DOMAIN\sftpusers or SERVER\sftp-group and I see no way to do this. I don't want everyone using the sftp server, especially since I want a single shared sftp folder for just this group. How do I specify a group?