Oh the humanity!  Configuring chrooted sftp always seems like a chore when you combine it with an out side authentication like winbind or pbis (Power Broker Identity Services).

So configuring /etc/ssh/sshd_config is straight forward.  All you need to change is:

http://en.wikibooks.org/wiki/OpenSSH/Cookbook/SFTP

But I kept seeing errors in /var/log/secure that said denied access because they are not in the ‘require membership of’ list and [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:domain.local\user][error code:40158]

Finally figured out that you can adjust this so that they are allowed performing the following commands (need to be root or have sudo access):

/opt/pbis/bin/config --list

/opt/pbis/bin/config --details RequireMembershipOf

/opt/pbis/bin/config RequireMembershipOf "domain.local\\account1" "domain.local\\user2"

Just don’t change something major like

sudo /opt/pbis/bin/config AssumeDefaultDomain true

That will just lock you out.