• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1658
  • Last Modified:

How do I chroot AD domain users on a Linux machine?

I have a SSH Linux machine that is attached to my Active Directory domain.  I am using Likewise in order to attach this machine to AD.

I can SSH into the Linux machine using my AD account and I want to know how to default the home directory to a specific directory and chroot the users to this directory.

In the sshd_config, I know to chroot local users, you have to include the following at the end
of the file

Match group GROUP-NAME
   ChrootDirectory /WHATEVER/PATH-YOU-WANT

However; when I attempted to migrate to using AD logins, I found out that you have
to modify that line of code to:

Match group domain^users
   ChrootDirectory /WHATEVER/PATH-YOU-WANT

But, this does not seem to chroot the users and they browse around the system.
If anyone has an idea on how to chroot AD users then please let me know.

Thanks!
0
namaiand
Asked:
namaiand
  • 7
  • 4
1 Solution
 
Duncan RoeSoftware DeveloperCommented:
You can only chroot to an directory where the programs you need are available. For instance there must be lib/libc6.so which is hard-linked to a real libc6.so (not a soft link, but the eventual target of any soft link). And so on for all other software, including the myriad of libraries that browsers generally require. Without essentials like libc6.so, chroot will simply fail.
0
 
namaiandAuthor Commented:
Right. When I use local users then the jail is operational.  However; when I change the authentication to network/domain^users they become jailbroken.  How do I re-instate the jail?
0
 
Duncan RoeSoftware DeveloperCommented:
Are you trying to chroot them to a remote directory? You might be able to do that for NFS-mounted directories, by setting up the jail on the remote system. What other cases do you have?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
namaiandAuthor Commented:
Well, kind of.

I have my server configured like this:

/home/MyFtpDirectory

The is the directory that I want to jail users to.

Inside of this root directory, I have created folders that are mapped to Samba file shares on a remote system.

Before I attached this Linux machine to my AD domain, the local user accounts were previously jailed
after I added the

Match group MyUsers
    ChrootDirectory /home/MyFtpDirectory

Clause at the end of the sshd_config file and restarted the daemon.

However; when I joined this Linux machine to my AD domain, I changed the Match clause in the sshd_config to:

Match group dokmain^users
    ChrootDirectory /home/MyFtpDirectory

This change appear to log the user into

/home/their-user-name then they can change to /home/MyFtpDirectory.
0
 
namaiandAuthor Commented:
Anyones thoughts?
0
 
Duncan RoeSoftware DeveloperCommented:
Didn't see a mail for your previous comment or I would have posted earlier. Since your top-level directory is local, it should be fine for chroot.
I would try changing sshd config files back to how they were, and check local users still behave as expected. If they do, then you have to figure out how you should have changed it and make that change.
0
 
namaiandAuthor Commented:
Since I attached the linux machine to the AD domain and made the sshd_config Match statement change, I have not re-checked how to local user accounts behave. Will do it though.
0
 
namaiandAuthor Commented:
I am still unable to chroot/jail the users.

In sshd_config, at the bottom, I have the following:

Match group MyGroup
    ChrootDirectory /home/MyDirectory

The directory exists, the permissions are 777 but the ownership user/group are both root.
Users are unable to login.  However; when I comment the ChrootDirectory line and restart the daemon, users are able to login but are not jailed (of course).  Any thoughts?
0
 
Duncan RoeSoftware DeveloperCommented:
Are local users still successfully being jailed in the same directory? Or a different one?
0
 
namaiandAuthor Commented:
Now, they are being jailed to the same directory.
The issue was this:

In the sshd_config file, the match statement was written like this:

Match Group sftpGroup
   ChrootDirectory /ftproot
   ForceCommand internal-sftp
..

I realized that I had to make the sftpGroup the group ower (ie: chgrp).
Also, change permissions to 755 on the "root" directory for the users.

Finally, I stopped the ssh service for about 3 minutes. When I restarted the service, all users were now jailed.
0
 
namaiandAuthor Commented:
The final step actually worked and produced the desired results.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 7
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now