Objective:
to utilize existing infrastructure(RHEL 7 and Windows 2012R2) to provide AD users access to a chrooted, SFTP solution that logs files copied into the environment, while utilizing Windows DFS and replication as the backend.
Environment:
RHEL 7 server running sftp, using Realm for AD authentication. AD group = sdn_sftp_users, user =
user1@sdn.com
Local Group: sdn_sftp_users:x:566601113:user1@sdn.com
Windows DFS setup configured as the backend storage for SFTP.
sshd_config:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp -f AUTH -l VERBOSE
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match Group sdn_sftp_users
ChrootDirectory /dfsshare/sftproot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
sssd.conf: (excerpt)
#fallback_homedir = /home/%d/%u
fallback_homedir = /dfsshare/sftproot/%u (this is setup as a mount in /etc/fstab)
Issues:
DFS Storage
Redirecting user home directories to the DFS share prevents jailing of sftp connection.
I cannot change permissions on a mount in /etc/fstab
Authentication
Realm > cashing creds only still need to create local group and add users but cannot /sbin/nologin the AD user.
Logging
SFTP does not appear to track files copied in via user. ???
Questions:
Can you tell me if this can be accomplished with this setup. Is it just a matter of permissions that are causing me a problem or is this even possible? if not, why?
Are there simple changes I can make to allow this to work?
Any recommendations?
NOTE:I cannot purchase 3rd party software to accomplish this!
THANK YOU,