[Samba] Linux desktop setup with authentication against Samba AD DC

Peter Milesson miles at atmos.eu
Thu Nov 28 16:41:38 UTC 2024 

Hi folks,

On request, I will share my experiences of setting up a bunch of simple, 
cheap, Linux PCs with Kerberos authentication against a Samba/Windows AD 
DC, with centrally stored home folders, and central device management.

This post is part 1 of 2, and describes the setup in verbal terms (for 
those who are bureaucratically minded). The 2nd post will describe the 
setup in technical detail, with comments about different caveats. 
Hopefully the information will get some ideas spinning, and that it is 
useful for somebody.


*Background*
I need to replace about 15 old (stupid) terminals and give occasional 
access to a group of users, that previously had no access to any  IT 
resources in the company. Due to changing workplace requirements, new 
systems and processes, the new user group will need occasional access to 
internet and intranet resources, that do not require advanced 
applications. A web browser, e-mail client, and possibly elementary 
access to a word processor fulfills the requirements. Present users have 
access to company resources over remote desktop to Windows servers. For 
part of them, a complete Windows server desktop with all bells and 
whistles is total overkill. A part of the terminals are shared between 
users, while other are more or less used by a single user.

 From a sysadmin point of view, the current terminals allow now 
administration whatsoever. As a result, it is not possible to keep the 
hardware and OS up to date centrally. Users also frequently let the 
terminals powered on when leaving work, even through lengthy vacations. 
Though the power consumption is a small extra cost, it is a completely 
avoidable cost.

Furthermore, classic terminals do not offer any future proofing when it 
comes to new features and functionality, with hardening security more 
and more important. Also, the manufacturer gives access to firmware and 
OS updates during a limited time frame.


*Objective*
Efficient administration of simple PCs/terminals and users who require 
occasional access to internet and intranet services. The services should 
be limited in scope, and consist mainly of web browsing, e-mail 
communication, rudimentary document access, and possible access to 
Windows remote desktop through a RDP client.

  * User and device administration MUST be through Samba/Windows AD,
    with optional Linux GPOs

  * User authentication SHOULD use Kerberos (or future modern protocols)

  * The user home directories MUST be centrally stored on a server share
    for efficient backup

  * Profiles SHOULD not be left on the device after logout (security,
    integrity)

  * The solution MUST be possible to run on hardware with limited
    performance (old PCs, new mini-PCs)

  * The solution MUST be future proof when it comes to updates, security
    and new features and requirements (authentication, security
    hardware, peripherals, etc.)

  * The solution MUST allow for rapid deployment of new devices from a
    master disk image


*Solution*
The solution consists of the following parts:

  * Client PC with sufficient capabilities

  * Existing AD DC (Samba or Windows) for authentication (Kerberos) and
    user and device management

  * Existing domain joined file storage (Samba or Windows) with a share
    where the user home directories are stored

  * Current Linux distribution, with systemd and PAM

  * PAM modules for winbind, Kerberos and mount are mandatory

  * cifs-utils is mandatory, as mount.cifs is used to mount the user
    share from pam_mount

  * Reliable time synchronization (needed by Kerberos)

  * Samba on the client PC joined as member server to the domain

  * Display manager that stores the Kerberos tickets after successful
    login (for example LightDM)

  * Linux desktop according to personal preferences

  * Additional applications like web browsers, e-mail clients, word
    processors, PDF-viewers, etc.

/Comment/
winbind is used in the setup, forget about sss and FreeIPA


*Testing*
Two different PCs according to the specifications have been tested in 2 
different domains.

Domain 1: Samba AD domain (Debian Bookworm, Samba 4.21.1) with forest 
and domain levels 2016, user folders on a SMB share on a member server 
(Debian Bookworm, Samba 4.21.1)

Domain 2: Windows server AD (Windows 2022) with forest and domain levels 
2016, user folders on a SMB share on a Dell PowerStore (OS ver. 3.6.x.x)

In both cases the behavior was as expected after initial parameter 
tweaking (most notably pam_mount).


In post no. 2 the setup is described in technical detail.

Best regards,

Peter

More information about the samba mailing list