[Samba] Linux desktop setup with authentication against Samba AD DC
Peter Milesson
miles at atmos.eu
Wed Dec 25 15:04:58 UTC 2024
On 25.12.2024 13:14, Rowland Penny via samba wrote:
> On Wed, 25 Dec 2024 12:25:01 +0100
> Peter Milesson via samba<samba at lists.samba.org> wrote:
>
>>
>>
>> On 23.12.2024 11:49, Rowland Penny via samba wrote:
>>> On Mon, 16 Dec 2024 13:23:54 +0100
>>> Marco Gaiarin via samba<samba at lists.samba.org> wrote:
>>>
>>>> Mandi! Rowland Penny via samba
>>>> In chel di` si favelave...
>>>>
>>>>> I tested on Gnome, MATE and XFCE on Debian 12, Cinnamon on Lmde6
>>>>> and on Rocky Linux 9 and the only one that gave any problem was
>>>>> MATE and that is a problem in its code (somewhere), it mounts but
>>>>> is unusable.
>>>> Surely more then me. ;-)
>>>>
>>>>
>>>> You've also setup a wiki page for that? Can i help?
>>>>
>>> Okay, I have finally documented my version of this, the delay was
>>> caused by:
>>> A) it is Xmas
>>> B) While I could get the desktop to mount, I found that GNOME &
>>> Cinnamon wouldn't unmount it at logout.
>>>
>>> I finally traced this to a timing problem, XCFE is quite happy with
>>> ' logout wait="200000"', Gnome & Cinnamon require 'logout
>>> wait="2000000"'
>>>
>>> I also wrote a small bash script to create the users home directory
>>> on the 'fileserver' on the fly.
>>>
>>> You can find my notes here:
>>>
>>> https://github.com/hortimech/Samba/blob/main/Mounting%20a%20domain%20users%20home%20directory%20at%20logon
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland,
>>
>> Great write up.
>>
>> But I don't understand the purpose of the homes share in smb.conf in
>> this context. It's really not necessary. The user's home directory
>> gets created on logon, and is removed (hopefully) at logoff by
>> pam-mount. My specific aim was to make sure any files or directories
>> on the client are removed after logoff.
> As I said in my tutorial, you need a minimum of 3 'computers':
> A DC to create the users on
> A fileserver to store the users home directory on
> A client.
>
> In my setup, pam mount on the client mounts a share from the
> fileserver. This share must exist, but it must be initially empty, this
> is where the 'homes' share and the 'root preexec' script comes in. The
> client authenticates the user from the DC, then pam_mount attempts to
> mount the users home directory from the fileserver and, if this is the
> first logon ever for the user, the 'root preexec' script creates the
> empty users share. Once pam_mount has mounted the share, The users home
> directory is initially populated on the client and because it is a
> mount, it is also populated on the fileserver, when the user logs out,
> all traces of that user are removed from the computer, but remain on
> the fileserver, ready for next logon, a bit like roaming profiles, but
> without the wait.
>
>> Anyway, I replicated 10 PCs (identical hardware) from my master
>> image. Each PC took less than 10 minutes to configure. This included
>> copying the .xsessionrc to each user home directory on the server.
>> Copying the master image over the network took some time, however.
>> That of course depends on the disk size and network speed. But one
>> can do other tasks while the copy process is running.
> I am not entirely sure just what you are doing, but it sounds similar
> to installing a distro and then configuring pam_mount.
>
>
>
Hi Rowland,
I have done a complete Debian installation on the master image, with all
necessary packages from backports. I have set up all necessary
prerequisites, and configured the appropriate files (krb5.conf,
smb.conf, user.map, pam_mount.conf.xml, common-session). To replicate
the master installation I only need to modify a few files on the target.
I also needed to make sure that there are no .tdb files in
/var/cache/samba and /var/lib/samba, and that smbd.service and
winbind.service are initially set as disabled. When replicating the
master image, the only changes I need to make on different new client
PCs after copying the master, are the following (disconnected from the
network):
- Set hostname in /etc/hostname
- Set full hostname and the name part in /etc/hosts
- Power off
- Connect the PC to the network
- Start the PC
- Check that there is connection with the AD DC (that is, DNS is working)
- Join the domain
- Enable and start smbd.service and winbind.service.
If setting up for a different domain, the following files need to be
changed before the above:
- default_realm in /etc/krb5.conf
- realm in /etc/samba/smb.conf
- workgroup in /etc/samba/smb.conf
- idmap config <samdom> : range = <start>-<end> in /etc/samba/smb.conf
- idmap config <samdom> : backend = rid in /etc/samba/smb.conf
- <SAMDOM>\Administrator in /etc/samba/user.map
- Set the appropriate values in the <volume> entry in
/etc/security/pam_mount.conf.xml
- Create the file gvfs-daemon.service under /etc/systemd/user (otherwise
kerberos wont work)
If the target hardware is setup for secure boot, you're out of luck.
Then one needs to make a complete installation with all required
packages. However, copying the configuration files from the master
image still saves lots of time. Then there are all sorts of problems to
solve, if the target disk is smaller than the master disk image, but
that's out of scope here.
That is not my view of creating a distribution. I have just created a
template disk image that is very rapidly deployed to other hardware.
From the Samba point of view, I wanted a configuration that allows the
Linux users profiles stored on a SMB server, that the user's profile
directory is automatically created under /home/<user> and mapped to the
user's profile on a share on the server, and that the user's profile
directory is automatically unmounted, and the /home/<user> directory is
deleted after logoff.
After two weeks of real use, the whole concept seems to work as intended
from all aspects, and feels really solid. Compared to the old mix of
dedicated thin clients and ThinStation PCs booting over PXE, the Linux
PC setup is completely flexible in every respect.
Best regards,
Peter
More information about the samba
mailing list