Issue: How to setup a chroot sftp server utilizing RHEL 7, AD users, and a Windows DFS share.

Environment:
RHEL 7 server providing sftp
AD domain providing users within a group
Windows infrastructure providing DFS

Status:
I can login via FileZilla to the sftp server via an AD account however, that account can still browse up to the root directory. I also just realized I am also having issues uploading files to the same location.

Problem:
I cannot change the permissions on the mounted DFS location as it is mounted via /etc/fstab. I set it up as 500 500 from an example on the web. Do I need to make a change here?
I can change the AD users home directory via sssd however, I don't think the chroot is going to work correctly as the users home directory has been redirected to the DFS share folder.
I need to be able to capture what files are uploaded and by whom.

Environment Info/Configuration:
Users home directories are relocated via sssd.conf
#fallback_homedir = /home/%d/%u
fallback_homedir = /dfsshare/sftproot/%u

Chroot jail attempt:
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp -f AUTH -l VERBOSE

Match Group sdn_sftp_users
ChrootDirectory /dfsshare/sftproot/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

NOTE:IF I ADD THE AD USER TO THIS LOCAL GROUP I CREATED THEN THE USER CANNOT LOGIN VIA FILEZILLA.
IF THE AD USER IS NOT A MEMBER OF THIS GROUP I CAN LOGIN BUT THE USER IS NOT CHROOTED.
HOW DO I CHROOT AN AD USER? APPARENTLY I AM DOING THIS WRONG.

/etc/fstab:
#
/dev/mapper/rhel-root / xfs defaults 1 1
UUID=da16a5d7-e485-4fcb-a342-d0b360b773e6 /boot xfs defaults 1 2
/dev/mapper/rhel-swap swap swap defaults 0 0
//sdn.com/sftp /dfsshare cifs _netdev,username=svcdfsadmin,password=Password1234,dir_mode=0755,file_mode=0755,uid=500,gid=500 0 0

NOTE: THIS MAY ALSO BE PART OF THE ISSUE AS I AM MOUNTING THIS AS A SERVICE ACCOUNT AND NOT THE AD USERS USING SFTP. DO I MOUNT THIS AS ROOT AND THEN GIVE THEM WRITE ACCESS VIA WINDOWS ONLY AND PRVENT THEM FROM ACCESSING THE SHARE EXCEPT VIA A REDIRECTION OF THEIR HOME DIRECTORY?


AS I WRITE THIS I AM THINKING OF THINGS THAT COULD BE INCORRECT AND I KNOW THIS IS A UNIQUE CIRCUMSTANCE HOWEVER I HAVE TO USE THE TOOLS GIVEN TO ME AND CANNOT PURCHASE 3RD PARTY SOFTWARE TO DO THIS. I HAVE RHEL AND WINDOWS EXISTING ENVIRONMENTS WHICH TO WORK WITH.

THANK YOU,

Any thoughts on this? Anyone?

No need to bump your own post. If someone knows, they will respond in time. We also regularly go through to find zero-reply posts and try to answer them - which is why it is a good idea to not self-bump them.