Jun 19

chroot sftp in AWS with likewise / pbis 7.5+

Oh the humanity!  Configuring chrooted sftp always seems like a chore when you combine it with an out side authentication like winbind or pbis (Power Broker Identity Services).

So configuring /etc/ssh/sshd_config is straight forward.  All you need to change is:



But I kept seeing errors in /var/log/secure that said denied access because they are not in the ‘require membership of’ list and [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:domain.local\user][error code:40158]

Finally figured out that you can adjust this so that they are allowed performing the following commands (need to be root or have sudo access):

/opt/pbis/bin/config --list

/opt/pbis/bin/config --details RequireMembershipOf

/opt/pbis/bin/config RequireMembershipOf "domain.local\\account1" "domain.local\\user2"

Just don’t change something major like

sudo /opt/pbis/bin/config AssumeDefaultDomain true

That will just lock you out.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Close Bitnami banner