Link to home
Start Free TrialLog in
Avatar of namaiand
namaiandFlag for United States of America

asked on

How do I chroot AD domain users on a Linux machine?

I have a SSH Linux machine that is attached to my Active Directory domain.  I am using Likewise in order to attach this machine to AD.

I can SSH into the Linux machine using my AD account and I want to know how to default the home directory to a specific directory and chroot the users to this directory.

In the sshd_config, I know to chroot local users, you have to include the following at the end
of the file

Match group GROUP-NAME
   ChrootDirectory /WHATEVER/PATH-YOU-WANT

However; when I attempted to migrate to using AD logins, I found out that you have
to modify that line of code to:

Match group domain^users
   ChrootDirectory /WHATEVER/PATH-YOU-WANT

But, this does not seem to chroot the users and they browse around the system.
If anyone has an idea on how to chroot AD users then please let me know.

Thanks!
Avatar of Duncan Roe
Duncan Roe
Flag of Australia image

You can only chroot to an directory where the programs you need are available. For instance there must be lib/libc6.so which is hard-linked to a real libc6.so (not a soft link, but the eventual target of any soft link). And so on for all other software, including the myriad of libraries that browsers generally require. Without essentials like libc6.so, chroot will simply fail.
Avatar of namaiand

ASKER

Right. When I use local users then the jail is operational.  However; when I change the authentication to network/domain^users they become jailbroken.  How do I re-instate the jail?
Are you trying to chroot them to a remote directory? You might be able to do that for NFS-mounted directories, by setting up the jail on the remote system. What other cases do you have?
Well, kind of.

I have my server configured like this:

/home/MyFtpDirectory

The is the directory that I want to jail users to.

Inside of this root directory, I have created folders that are mapped to Samba file shares on a remote system.

Before I attached this Linux machine to my AD domain, the local user accounts were previously jailed
after I added the

Match group MyUsers
    ChrootDirectory /home/MyFtpDirectory

Clause at the end of the sshd_config file and restarted the daemon.

However; when I joined this Linux machine to my AD domain, I changed the Match clause in the sshd_config to:

Match group dokmain^users
    ChrootDirectory /home/MyFtpDirectory

This change appear to log the user into

/home/their-user-name then they can change to /home/MyFtpDirectory.
Anyones thoughts?
Didn't see a mail for your previous comment or I would have posted earlier. Since your top-level directory is local, it should be fine for chroot.
I would try changing sshd config files back to how they were, and check local users still behave as expected. If they do, then you have to figure out how you should have changed it and make that change.
Since I attached the linux machine to the AD domain and made the sshd_config Match statement change, I have not re-checked how to local user accounts behave. Will do it though.
I am still unable to chroot/jail the users.

In sshd_config, at the bottom, I have the following:

Match group MyGroup
    ChrootDirectory /home/MyDirectory

The directory exists, the permissions are 777 but the ownership user/group are both root.
Users are unable to login.  However; when I comment the ChrootDirectory line and restart the daemon, users are able to login but are not jailed (of course).  Any thoughts?
Are local users still successfully being jailed in the same directory? Or a different one?
ASKER CERTIFIED SOLUTION
Avatar of namaiand
namaiand
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The final step actually worked and produced the desired results.