[Samba] Linux desktop setup with authentication against Samba AD DC
Peter Milesson
miles at atmos.eu
Sun Nov 24 19:35:17 UTC 2024
On 14.11.2024 17:24, Peter Milesson via samba wrote:
>
>
>
> On 14.11.2024 16:51, bd730c5053df9efb wrote:
>> On Thursday, November 14th, 2024 at 07:48, Peter Milesson via samba
>> <samba at lists.samba.org> wrote:
>>
>>>
>>> On 13.11.2024 21:14, Peter Milesson via samba wrote:
>>>
>>>> Hi folks,
>>>>
>>>> I'm figuring to setup a few Linux desktops with LXDM as display
>>>> manager, and with authentication against a Samba AD DC. After
>>>> successful authentication, I want the authenticated user's profile to
>>>> be downloaded, or preferably mapped, from a SMB server (Linux,
>>>> Windows, NAS, ...), to the local Linux PC. I intend to use Debian
>>>> Bookworm, with Archlinux as a secondary alternative (too bleeding edge
>>>> for my taste, as updates not seldom break the installation).
>>>>
>>>> Essentially I want a similar experience as Windows with redirected
>>>> folders, or roaming profiles. The intended use is a lightweight
>>>> desktop for occasional users sharing PCs, where full blown Windows
>>>> desktops are not economically justifiable (hardware and licensing
>>>> costs).
>>>>
>>>> Previously (many years ago) I made a setup based on NFS, but that's a
>>>> path I want to avoid, unless there is no other viable alternative.
>>>> That setup was based on the display manager Slim, which I had to tweak
>>>> to some extent. As Slim is ancient, and with no development for ages,
>>>> it's not an option.
>>>>
>>>> I guess the hardest part is setting up LXDM to authenticate against
>>>> the Samba AD DC. There may be other display managers, that better suit
>>>> the requirements. I have got little experience with alternatives, and
>>>> I'm completely open for suggestions.
>>>>
>>>> If somebody have got any experience with something similar, I would be
>>>> grateful to get some thoughts and ideas.
>>>>
>>>> Best regards,
>>>>
>>>> Peter
>>> Hi folks,
>>>
>>> I did some authentication testing, and it seems that the display
>>> manager
>>> uses pam_winbind for authentication, as does ssh. So far, so good.
>>>
>>> Now remains the problem of mapping a Samba share as the user's home
>>> directory.
>>>
>>> Is there somebody having any input on this?
>>>
>>> Best regards,
>>>
>>> Peter
>>>
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> Hi!
>>
>> I have stopped using roaming profiles a couple of years ago but I do
>> use a home drive share. The users of the network have a personal
>> share in an smb share, lets call it \\FILESERVER\USERS\%USERNAME%
>> which in windows is mounted as the personal home drive (P:) and the
>> documents folder redirects to that drive, this drive is also made
>> available offline with windows CSC.
>>
>> I'm using a linux workstation for myself in a network where all the
>> client workstations are windows and what I have done is to use
>> pam_mount in combination with pam_winbind and what I do is have
>> pam_mount mount the SMB share on $HOME/.Documents (the dot is not a
>> typo) and with unison I synchronize $HOME/.Documents and
>> $HOME/Documents (the lack of the dot is not a typo). Unison has this
>> folder marked as removable. This way I use my documents folder and it
>> doesn't matter if I logged in being connected to my work's network or
>> not and when I am connected to the network I use unison to sync the
>> local copy of my Documents folder with my remote folder.
>>
>> Logging in being away from my work's network takes a little longer
>> because of the timeouts when pam_mount is trying to mount network
>> resources that are not available but it works great. This setup
>> doesn't cover the shared profile requirement but I guess that with
>> some tweaking it could be used to achieve something like that.
>>
>> Hope it helps.
>> Best regards,
>> Dave.
>>
> Hi Dave,
>
> Thanks for you input. I will have a look at it and report back.
>
> Best regards,
>
> Peter
>
>
Hi folks,
YFYI, I've succeeded setting up something that seems workable.
When domain users log in on their Linux PCs, they get their /home/<user>
folders mapped over CIFS from a Samba or Windows server. When they log
out, the /home/<user> folder is unmounted and deleted, and their profile
data remains on the server. The whole setup works similarly to
redirected folders in a Windows server environment. The setup is
intended for casual users that don't need a full blown Windows desktop
with M$ 365 and everything else that follows. There are lots of capable
desktop applications under Linux, that can replace their Windows
counterparts, giving the users a nice full value experience. For
companies using mainly web based applications, it's a dirt cheap
solution. The hardware is really cheap, and it's a snap to roll out new
PCs with all basic settings. Using Samba Linux GPOs, it should be about
the same administrative work for the administrator, as with Windows
desktop PCs.
The setup is based on Debian Bookworm, the display manager is LightDM,
and the desktop manager LXDE. Authentication is made with Kerberos to a
Samba or Windows AD DC through PAM. PAM-mount is taking care of mapping
the user folders from a share with Linux user profiles. The hardest bit
was making PAM-mount unmounting and deleting the user folders on the
Linux PC during the logout process. It needed some tweaking.
Best regards,
Peter
More information about the samba
mailing list