We help IT Professionals succeed at work.

How to Jail/chroot AD-integrated users on Ubuntu 12.04

I am in the process of replacing an FTP server with a more secure alternative.  What I would like to do is to use a Linux server running OpenSSH to secure the connections.  This works great out of the box but I would like to both secure and simplify the experience for the end-users by locking them into their home directories when they log in. I have the AD integration part in place and working just fine.  What I need next is to chroot or jail those accounts into their home directories.  I can't figure out how to set home dirs for AD users since they don't have entries in the passwd file.  As it stands they are dumped at the server's root when they login so they see everything even though a lot of it is unreadable.  What I want is something that looks like an FTP connection.  Help would be appreciated

I used this as the guide for setting up a chrooted directory for Linux users:

http://ubuntuforums.org/showthread.php?t=128206

Thanks,

Jack
Comment
Watch Question

Top Expert 2015
Commented:
Chroot works only with internal-sftp
OpenSSH insists that all chroot path is immutable to user, so you cannot chroot to home directory, just to the level above e.g. /home/DOMAIN/
Then it tries to change dir to $HOME inside chroot ,so you have to make /home/DOMAIN a symlink to ../.. inside chroot

Author

Commented:
Yeah, I finally came to the same conclusion after searching and playing around with the possibilities. What I have decided to do is to create the users as local and the home directories using the UID so that other users can still see the directory but have no indication of who it belongs to.  I will still use some AD-integrated accounts with SAMBA to give inside users access to the data.

Thanks for the reality check.  I am still somewhat new to Linux so there's a pretty steep learning curve on the fundamentals for me. That's why I love IT though.. the torture never stops, and that's a good thing. :)
Top Expert 2015

Commented:
Why dont you try owncloud over https?