Issue: How to setup a chroot sftp server utilizing RHEL 7, AD users, and a Windows DFS share.
Environment:
RHEL 7 server providing sftp
AD domain providing users within a group
Windows infrastructure providing DFS
Status:
I can login via FileZilla to the sftp server via an AD account however, that account can still browse up to the root directory. I also just realized I am also having issues uploading files to the same location.
Problem:
I cannot change the permissions on the mounted DFS location as it is mounted via /etc/fstab. I set it up as 500 500 from an example on the web. Do I need to make a change here?
I can change the AD users home directory via sssd however, I don't think the chroot is going to work correctly as the users home directory has been redirected to the DFS share folder.
I need to be able to capture what files are uploaded and by whom.
Environment Info/Configuration:
Users home directories are relocated via sssd.conf
#fallback_homedir = /home/%d/%u
fallback_homedir = /dfsshare/sftproot/%u
Chroot jail attempt:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp -f AUTH -l VERBOSE
Match Group sdn_sftp_users
ChrootDirectory /dfsshare/sftproot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
NOTE:IF I ADD THE AD USER TO THIS LOCAL GROUP I CREATED THEN THE USER CANNOT LOGIN VIA FILEZILLA.
IF THE AD USER IS NOT A MEMBER OF THIS GROUP I CAN LOGIN BUT THE USER IS NOT CHROOTED.
HOW DO I CHROOT AN AD USER? APPARENTLY I AM DOING THIS WRONG.
/etc/fstab:
#
/dev/mapper/rhel-root / xfs defaults 1 1
UUID=da16a5d7-e485-4fcb-a342-d0b360b773e6 /boot xfs defaults 1 2
/dev/mapper/rhel-swap swap swap defaults 0 0
//sdn.com/sftp /dfsshare cifs _netdev,username=svcdfsadmin,password=Password1234,dir_mode=0755,file_mode=0755,uid=500,gid=500 0 0
NOTE: THIS MAY ALSO BE PART OF THE ISSUE AS I AM MOUNTING THIS AS A SERVICE ACCOUNT AND NOT THE AD USERS USING SFTP. DO I MOUNT THIS AS ROOT AND THEN GIVE THEM WRITE ACCESS VIA WINDOWS ONLY AND PRVENT THEM FROM ACCESSING THE SHARE EXCEPT VIA A REDIRECTION OF THEIR HOME DIRECTORY?
AS I WRITE THIS I AM THINKING OF THINGS THAT COULD BE INCORRECT AND I KNOW THIS IS A UNIQUE CIRCUMSTANCE HOWEVER I HAVE TO USE THE TOOLS GIVEN TO ME AND CANNOT PURCHASE 3RD PARTY SOFTWARE TO DO THIS. I HAVE RHEL AND WINDOWS EXISTING ENVIRONMENTS WHICH TO WORK WITH.
THANK YOU,