[Samba] Linux desktop setup with authentication against Samba AD DC
Rowland Penny
rpenny at samba.org
Thu Dec 26 10:02:32 UTC 2024
On Wed, 25 Dec 2024 16:04:58 +0100
Peter Milesson <miles at atmos.eu> wrote:
> Hi Rowland,
>
> I have done a complete Debian installation on the master image, with
> all necessary packages from backports. I have set up all necessary
> prerequisites, and configured the appropriate files (krb5.conf,
> smb.conf, user.map, pam_mount.conf.xml, common-session). To replicate
> the master installation I only need to modify a few files on the
> target. I also needed to make sure that there are no .tdb files in
> /var/cache/samba and /var/lib/samba, and that smbd.service and
> winbind.service are initially set as disabled. When replicating the
> master image, the only changes I need to make on different new client
> PCs after copying the master, are the following (disconnected from
> the network):
>
> - Set hostname in /etc/hostname
> - Set full hostname and the name part in /etc/hosts
> - Power off
> - Connect the PC to the network
> - Start the PC
> - Check that there is connection with the AD DC (that is, DNS is
> working)
> - Join the domain
> - Enable and start smbd.service and winbind.service.
>
> If setting up for a different domain, the following files need to be
> changed before the above:
>
> - default_realm in /etc/krb5.conf
> - realm in /etc/samba/smb.conf
> - workgroup in /etc/samba/smb.conf
> - idmap config <samdom> : range = <start>-<end> in /etc/samba/smb.conf
> - idmap config <samdom> : backend = rid in /etc/samba/smb.conf
> - <SAMDOM>\Administrator in /etc/samba/user.map
> - Set the appropriate values in the <volume> entry in
> /etc/security/pam_mount.conf.xml
> - Create the file gvfs-daemon.service under /etc/systemd/user
> (otherwise kerberos wont work)
>
> If the target hardware is setup for secure boot, you're out of luck.
> Then one needs to make a complete installation with all required
> packages. However, copying the configuration files from the master
> image still saves lots of time. Then there are all sorts of problems
> to solve, if the target disk is smaller than the master disk image,
> but that's out of scope here.
>
> That is not my view of creating a distribution. I have just created a
> template disk image that is very rapidly deployed to other hardware.
>
> From the Samba point of view, I wanted a configuration that allows
> the Linux users profiles stored on a SMB server, that the user's
> profile directory is automatically created under /home/<user> and
> mapped to the user's profile on a share on the server, and that the
> user's profile directory is automatically unmounted, and the
> /home/<user> directory is deleted after logoff.
>
> After two weeks of real use, the whole concept seems to work as
> intended from all aspects, and feels really solid. Compared to the
> old mix of dedicated thin clients and ThinStation PCs booting over
> PXE, the Linux PC setup is completely flexible in every respect.
>
> Best regards,
>
> Peter
>
>
From reading that, it seems we are are both doing the same thing, but
in different ways, you have an 'image' that you created, while I start
with a default Debian install and set it up to get to basically the
same point as your 'image'. Either way, the result is an AD user can
log into a domain computer and find all their files waiting for them,
as I said, like Windows profiles, but faster.
Rowland
More information about the samba
mailing list