[Samba] Linux desktop setup with authentication against Samba AD DC

Fri Nov 29 19:50:21 UTC 2024

On 11/29/24 20:07, Rowland Penny via samba wrote:
> On Fri, 29 Nov 2024 12:07:45 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>> Hi Peter, that was actually more than what I was expecting, a very
>>> detailed tutorial indeed.
>>>
>>> I wonder if the basic setup could be used with any Linux distro ?
>>> Only one way to find out, try it, so I am off to install LMDE6 in a
>>> VM :-)
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland,
>>
>> I have tried it in a VM also. Works without any problems. I'm going
>> to try it in a decommissioned, 7 year old workstation with completely
>> different hardware in a few moments.
>>
>> Good luck,
>>
>> Peter
>>
> OK, I have got it work with an LMDE6 install, but not with Peter's
> 'volume' pam_mount.conf.xml setting, I had to use:
>
> <volume fstype="cifs"
>          server="cm4nas.samdom.example.com"
>          path="users"
>          mountpoint="/home/SAMDOM/%(USER)"
>          options="user=%(USER),cruid=%(USER),sec=krb5"
> />
>
> Rowland
>
>
>
Hi Rowland,

As I stated in my (maybe too voluminous) description, the setup may not 
be applicable to other distributions out of the box, which I naturally 
did not expect. I have been using completely up to date Debian Bookworm 
setups, and everything I made has been reproducible (physical PC, VM, 
Windows server, Samba server).

I got stuck with %{USER}, and then studied the Ubuntu man pages of 
libpam-mount in great detail. I sifted through lots of pages about 
pam_mount, and it seems that the options "nosuid,nodev" are more or less 
mandatory. The "mfsymlinks,nobrl,vers=3.0" also seem to be important. 
Are you using /home/SAMDOM/%D/%U  as template homedir in your smb.conf?

If there are different interpretations of the %{USER} and %{DOMAIN_USER 
} parameters between different distributions, that would be really bad. 
But it wouldn't surprise me.

I'm going to try it out with a PC running Archlinux. Archlinux is 
sometimes deviating in quite unexpected (and incomprehensible) 
directions, which could make it a challenge. Personally, I like 
Archlinux for mostly being in the absolute fore front line of Linux 
development, but if I put on my sysadmin hat, it's a walk through a mine 
field.

Anyway, it's nice to get to know that you took interest, and that you 
confirmed the viability of the concept in a completely independent domain.

I wish you a nice weekend.

Peter