How to Jail/chroot AD-integrated users on Ubuntu 12.04

I am in the process of replacing an FTP server with a more secure alternative.  What I would like to do is to use a Linux server running OpenSSH to secure the connections.  This works great out of the box but I would like to both secure and simplify the experience for the end-users by locking them into their home directories when they log in. I have the AD integration part in place and working just fine.  What I need next is to chroot or jail those accounts into their home directories.  I can't figure out how to set home dirs for AD users since they don't have entries in the passwd file.  As it stands they are dumped at the server's root when they login so they see everything even though a lot of it is unreadable.  What I want is something that looks like an FTP connection.  Help would be appreciated

I used this as the guide for setting up a chrooted directory for Linux users:


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chroot works only with internal-sftp
OpenSSH insists that all chroot path is immutable to user, so you cannot chroot to home directory, just to the level above e.g. /home/DOMAIN/
Then it tries to change dir to $HOME inside chroot ,so you have to make /home/DOMAIN a symlink to ../.. inside chroot

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
freymishAuthor Commented:
Yeah, I finally came to the same conclusion after searching and playing around with the possibilities. What I have decided to do is to create the users as local and the home directories using the UID so that other users can still see the directory but have no indication of who it belongs to.  I will still use some AD-integrated accounts with SAMBA to give inside users access to the data.

Thanks for the reality check.  I am still somewhat new to Linux so there's a pretty steep learning curve on the fundamentals for me. That's why I love IT though.. the torture never stops, and that's a good thing. :)
Why dont you try owncloud over https?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.