[Samba] Linux desktop setup with authentication against Samba AD DC
Rowland Penny
rpenny at samba.org
Fri Nov 29 10:10:17 UTC 2024
On Thu, 28 Nov 2024 17:41:47 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
>
> This is post no. 2, with technical information of how I set up the
> Linux PCs, and additional information about setting up the server
> shares. It will give the basic outlines to those trying to setup
> something similar, using another Linux distribution. I will not go
> into any detail about setting up the OS, and similar tasks, as it is
> assumed that the interested reader has got the required knowledge.
>
>
> *Hardware*
> CPU Gigabyte Brix GB-BRR5-4500 with AMD Ryzen 5 4500U, integrated GPU
> RAM Crucial 8GB DDR4-3200 SoDIMM, 1.2V, CL22
> SSD Patriot P320 PCIe M.2 256GB
>
> The chosen hardware is more than sufficient for the task at hand, and
> provides lots of performance to a very modest cost. Added to that,
> small footprint, quiet operations, and low power consumption.
>
>
> *Operating system*
> Debian Bookworm with backports (status end of November 2024)
>
> I chose Debian for this project, as it is a golden middle path, very
> stable, not too bleeding edge, neither too conservative, and with
> very few "surprises".
>
>
> *Setting up*
> I have exclusively used tools in Windows for setting up users in AD
> (ADUC) and configuring shares (Computer management).
>
> /Setup users in AD/
> Set up a few users in AD. The naming is irrelevant, use only names
> with ASCII A-Z, a-z, and 0-9 in user names (hint: have a look at MS's
> support pages about accented characters in user names)
>
>
> /Setting up a server share (Windows or Samba) for the home
> directories/ *NOTE!* The setup has only been tested with Windows ACLs
> for maximum compatibility between Windows and Linux. The behavior
> with POSIX ACLs is unknown.
>
> In the following text I will use the following abbreviations:
>
> This folder, subfolders, and files - TSF
> Subfolders and files only - SF
> This folder only - FO
>
> - Create the root directory for the home directories
> - Disable inheritance on the root folder
> - Set ownership on the root folder and assign permissions
> - Set ownership to a group or user with administrative access in
> the domain (Domain Admins, Administrator)
> - Everyone (Read & Execute, FO), SERVER\Administrators (Full,
> TSF), SYSTEM (Full, TSF), CREATOR OWNER (Full, SF), Administrator
> (Full, TSF)
> - Create the share in Computer Management, give full share
> permissions to Everyone
>
> I named the share linuxhomes$, which implies that it will be hidden
> when browsing the server. What you don't see, won't tempt you...
>
>
> /Create user home directories on the server/
> - Create a directory with a name corresponding to each user name in
> the share directory
> - Disable inheritance for each user directory
> - Add the to be user to the permission list
> - Set permissions on the user directory according to the following:
> - The user (Full, TSF), SERVER\Administrators (Full, TSF), CREATOR
> OWNER (Full, SF), SYSTEM (Full, TSF), Administrator (Full, TSF)
> - Set ownership of the user's directory to that of the user
>
>
> /Setting up Debian and installing components/
> *Note!* The setup is untested with Samba versions below 4.21.1, YMMV.
> - Make a minimal installation of Debian on the PC, only system
> utilities and sshd at this point
> - Configure hostname and network, check that time synchronization
> (networkd-timesyncd) works. Caveat: When using DHCP, check that the
> DHCP server DNS point to AD DCs, oteherwise you need to use a static
> IP address on the PC, and set one or more AD DCs as name servers
> - Add debian-backports to sources-list, update and upgrade
> - Install other required packages from debian-backports: sudo,
> cifs-utils, attr, xattr, acl, cups
> - Make sure there is at least one local sudo user
> - Make sure nscd is not installed, disabling avahi-daemon.service and
> avahi-daemon.socket may also be a good idea
> - Install the following packages from debian-backports, but exclude
> samba-ad-dc and samba-ad-provision:
> - krb5-user krb5-config libldb2 libnss-winbind libpam-winbind
> libwbclient0 python3-ldb python3-cryptography python3-samba samba
> samba-common samba-common-bin samba-dsdb-modules samba-libs
> samba-vfs-modules winbind libpam-krb5 libpam-mount hxtools tdb-tools
>
>
> /Setup Samba/
> - Stop winbind, smbd, and nmbd
> - Mask the nmbd service
> - Configure Kerberos
> - Configure /etc/samba/smb.conf
> - Check that nsswitch.conf is OK and contains winbind for passwd and
> group
>
>
> /smb.conf example/
> # Global parameters
> [global]
> dedicated keytab file = /etc/krb5.keytab
> disable netbios = Yes
> disable spoolss = Yes
> kerberos method = secrets and keytab
> printcap name = /dev/null
> realm = SAMDOM.EXAMPLE.NET
> restrict anonymous = 2
> security = ADS
> server role = member server
> smb ports = 445
> template homedir = /home/%U
> template shell = /bin/bash
> username map = /etc/samba/user.map
> min domain uid = 0
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = SAMDOM
> idmap config * : backend = tdb
> idmap config * : range = 3000-9999
> idmap config samdom : backend = rid
> idmap config samdom : range = 10000-99999
> map acl inherit = Yes
> vfs objects = acl_xattr
>
>
> //etc/samba/user.map example/
> !root = SAMDOM\Administrator
>
>
> /Join the domain (as root, not sudo) and test/
> samba-tool domain join samdom.example.net MEMBER -U administrator
>
> samba-tool may output a bunch of error messages, but the important
> message is the last one, that the join was successful.
>
> Start smbd and winbind
>
> Run wbinfo --ping-dc, and check that the connection is successful
>
>
> /Modify /etc/pam.d/common-session/
> To avoid multiple mounts of the home directory, in case the user's
> home directory is not unmounted after logout, it is necessary to add
> the following line immediately before "session optional pam_mount.so"
>
> session [success=1 default=ignore] pam_succeed_if.so service =
> systemd-user
>
>
> /Setup automatic mounting with pam_mount after successful login/
> Edit the file /etc/security/pam_mount.conf.xml and add the following
> contents after <!-- Volume definitions -->:
>
> <volume user="*"
> fstype="cifs"
> server="<FQDN of server>"
> path="linuxhomes$/%(DOMAIN_USER)"
> mountpoint="/home/%(DOMAIN_USER)"
> uid="10000-999999"
> options="nosuid,nodev,sec=krb5i,cruid=%(USERUID),mfsymlinks,nobrl,vers=3.0"
> />
>
> The parameter uid should contain the same value as "idmap config
> samdom : range = 10000-99999" in /etc/samba/smb.conf". It means
> effectively, that no mounting should be tried for a user outside the
> uid span.
>
> The following parameter must also be set properly, otherwise the
> user's home directory is not unmounted after logout
>
> <logout wait="200000" hup="no" term="yes" kill="yes" />
>
> If the PC and/or network is slow, it may be necessary to increase the
> wait value. With a value of 100000 (0.1s), I experienced that the
> user home directory did not get unmounted after logging off.
>
>
> /Testing before installing a graphical desktop/
> At this point you can try to login to the console either using a
> classic windows login name (WORKGROUP\user), or UPN:
>
> SAMDOM\user
> user at samdom.example.net
>
> - Check that your user directory is under /home
> - Try to create a file, an empty one is OK, check on the server that
> the file is in the user directory.
> - Log out and log in as a local user
> - Check that there is no directory /home/user.
> - If there is, you need to increase the parameter logout wait= in
> /etc/security/pam_mount.conf.xml. *Note!* The delay is given in
> microseconds!
>
> Login with SSH should behave like console login.
>
>
> /Setting up the display manager/
> It is important to use a display manager that stores Kerberos
> tickets, if you intend to use other kerberized services. In this
> setup LightDM was used. I tried with LXDM, as it is even more
> lightweight than LightDM, but Kerberos tickets are not stored.
>
> When using a gvfs-based display manager (like LightDM), it is
> important to modify the behavior of the gvfs-daemon. It is a daemon
> that runs in userland, and in the original setup, it does not pick up
> the Kerberos ticket.
>
> It is necessary to override this behavior by creating the unit file
> /etc/systemd/user/gvfs-daemon
>
> [Unit]
> Description=Virtual filesystem service
> PartOf=graphical-session.target
>
> [Service]
> Environment="KRB5CCNAME=FILE:/tmp/krb5cc_%U"
> ExecStart=/usr/libexec/gvfsd
> Type=dbus
> BusName=org.gtk.vfs.Daemon
> Slice=session.slice
>
>
> /Setting up the graphical desktop/
> The choice of graphical desktop is an individual one. The choice here
> was LXDE, as it is very light weight and fast. Windows users (at
> least up to Windows 10) should not have any problems to feel at home
> here. You could always argue that the looks are seriously outdated,
> but the intention is fulfilling a purpose: Getting the user to do
> some work. If you miss the 3D-looks and the themes of a modern Disney
> cartoon, I recommend switching to Windows 11.
>
> You want to start with a basic LXDE desktop, as the complete LXDE
> meta package contains uncountable applications. Additional LXDE
> elements, and required applications can be installed later on. LXDE
> is installed with the following packages:
>
> - lxde-core lxinput
>
> The lxinput package enables the user to alter the mouse settings.
> Very handy for left handed persons.
>
> Confirm that it is possible to login with the display manager as a
> domain user with a home directory defined. Use either the classic
> Windows login style (WORKGRUP\user) or with UPN.
>
>
> /Installing required applications/
> One of the final tasks is installation of required applications like
> web browsers, e-mail clients, remote desktop clients, etc. In this
> case, I installed Firefox, Thunderbird, Xpdf, LibreOffice, and
> FreeRDP. Also install specific language packs, if that is required
> (see below about localization).
>
>
> /Localization/
> If there are users which require a different user locale, the basic
> locale definitions should be configured now. Define the wanted
> locales. Edit /etc/locale.gen and uncomment the required locales,
> then run sudo locale-gen. Individual locale setting is described
> below.
>
>
> /Configure CUPS and define printers for a limited set of users/
> This is the right moment for defining printers, if there is intention
> of rolling out the image to several PCs with identical setups.
>
>
> /Finalizing and saving a master image/
> When the basic setup is working, the disk image can be saved as a
> master for rapid deployment of new devices.
>
> If you intend to replicate the setup to new PCs, the current machine
> must first be removed from the domain, otherwise the new PC will
> "steal" the AD registration from a previous PC with the same setup.
> Remove the PC from the domain with:
>
> sudo net ads leave -U Administrator
>
> Power off the PC and boot up a Linux environment containing tools for
> copying an image of the whole disk.
>
> I usually boot up an Archlinux installation image on a USB drive, as
> it contains all necessary tools, and transfer the disk image with dd
> over ssh.
>
>
> /Individual localization/
> LXDE can be set up for individual locales. This step is a once and
> for all activity, as the settings will be stored in the user's home
> directory, not on the PC. The setup is preferably made from another
> Linux PC, by subsequently mounting the home directories share as the
> Linux PC users, and adding the file described below.
>
> It is assumed that the necessary locale definitions are configured on
> all the user PCs.
>
> Repeat the following for every user that requires an individual
> locale.
>
> - Mount the Linux user home share on the server as a specific user
> - Create the file .xsessionrc (*Note* lower case) in the user's home
> directory. The contents are (for example Czech):
>
> LC_ALL=
> LANG=cs_CZ.UTF-8
> LANGUAGE=cs_CZ:de:en
>
> Applications based on gettext uses the LANGUAGE parameter, and in
> this example messages are preferably displayed in Czech, then German,
> and finally English.
>
> Other LC_ variables can be added according to your requirements.
> *Note!* It is considered a bad practice setting the LC_ALL parameter,
> as it overrides everything else.
>
> Unmount the share and repeat for other users.
>
>
> /Setting up a new PC from the master image/
> *NOTE!* This may not work if the BIOS is set to UEFI secure boot. How
> to migrate from standard UEFI boot to secure UEFI boot is beyond the
> scope of this description
> - Boot the new PC with an installation image on a USB drive, that
> contains a sufficient set of tools.
> - Make sure that the disk in the new PC is sufficiently large for the
> image, at least the same size as the image
> - Write the image to the PC's disk with the help of dd over SSH
> - Reboot the PC
> - Login as root from the console
> - Change the host name in the hostname and hosts files
> - Check/adjust the file /etc/network/interfaces and make sure the
> correct network interface names are used
> - Reboot the PC
> - Login as root from the console
> - Stop smbd and winbind
> - Join the PC to the domain (se above)
> - Start smbd and winbind and check the domain connection with wbinfo
> --ping-dc
> - Logout from root
> - Make a test login as a user with home directory on the server
> - Check that the user profile works
> - Logout the user
> - Login as a local user
> - Check that the home directory for the previously logged in user
> does not exist
>
> If the previously logged in user with a server home directory has
> left a mounted home directory, it is necessary to increase the logout
> wait time in the file /etc/security/pam_mount.conf.xml.
> - Reboot the PC
> - Login as root or local user with sudo privileges
> - Remove the user directory for the user with a server home directory
> - Increase the value until the user home directory is automatically
> removed after logout
>
>
> *Conclusion*
> After going through the steps above, there is a working PC with a
> graphical desktop, with authentication based on Kerberos and user
> profiles stored on a server. The users and PCs are all managed
> through AD, and with addition of administrative templates for Linux
> in AD, GPOs can be used for even more detailed administration.
>
> If there are many Linux PCs to handle, it is probably a good idea to
> setup routines for regular updates and maintenance using scripting.
>
> In case that the users store information with any importance at all,
> regular backups of the server share should be scheduled.
>
> I hope you find the concept inspiring, and useful.
>
> Peter
Hi Peter, that was actually more than what I was expecting, a very
detailed tutorial indeed.
I wonder if the basic setup could be used with any Linux distro ?
Only one way to find out, try it, so I am off to install LMDE6 in a VM
:-)
Rowland
More information about the samba
mailing list