[Samba] Linux desktop setup with authentication against Samba AD DC
Rowland Penny
rpenny at samba.org
Fri Nov 29 20:40:04 UTC 2024
On Fri, 29 Nov 2024 20:50:21 +0100
Peter Milesson <miles at atmos.eu> wrote:
>
> On 11/29/24 20:07, Rowland Penny via samba wrote:
> > On Fri, 29 Nov 2024 12:07:45 +0100
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>> Hi Peter, that was actually more than what I was expecting, a very
> >>> detailed tutorial indeed.
> >>>
> >>> I wonder if the basic setup could be used with any Linux distro ?
> >>> Only one way to find out, try it, so I am off to install LMDE6 in
> >>> a VM :-)
> >>>
> >>> Rowland
> >>>
> >>>
> >> Hi Rowland,
> >>
> >> I have tried it in a VM also. Works without any problems. I'm going
> >> to try it in a decommissioned, 7 year old workstation with
> >> completely different hardware in a few moments.
> >>
> >> Good luck,
> >>
> >> Peter
> >>
> > OK, I have got it work with an LMDE6 install, but not with Peter's
> > 'volume' pam_mount.conf.xml setting, I had to use:
> >
> > <volume fstype="cifs"
> > server="cm4nas.samdom.example.com"
> > path="users"
> > mountpoint="/home/SAMDOM/%(USER)"
> > options="user=%(USER),cruid=%(USER),sec=krb5"
> > />
> >
> > Rowland
> >
> >
> >
> Hi Rowland,
>
> As I stated in my (maybe too voluminous) description, the setup may
> not be applicable to other distributions out of the box, which I
> naturally did not expect. I have been using completely up to date
> Debian Bookworm setups, and everything I made has been reproducible
> (physical PC, VM, Windows server, Samba server).
From my understanding, LMDE6 is basically Debian 12 with the Cinnamon
desktop slapped on top of it, a bit like the Raspberry pi OS. This is
one reason I used it.
>
> I got stuck with %{USER}, and then studied the Ubuntu man pages of
> libpam-mount in great detail. I sifted through lots of pages about
> pam_mount, and it seems that the options "nosuid,nodev" are more or
> less mandatory. The "mfsymlinks,nobrl,vers=3.0" also seem to be
> important. Are you using /home/SAMDOM/%D/%U as template homedir in
> your smb.conf?
I used your 'volume' setup verbatim but it didn't work for me, so I
tried one I had used previously and it worked.
This is the users directory on the 'NAS' (in reality, an rpi CM4
running bookworm) before the mount on the client:
adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
total 8
drwx------ 2 rowland root 4096 Nov 29 16:33 .
drwxr-xr-x 4 root root 4096 Nov 23 14:35 ..
and this it again after the mount:
adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
total 284
drwx------ 14 rowland root 4096 Nov 29 17:27 .
drwxr-xr-x 4 root root 4096 Nov 23 14:35 ..
drwxrwxr-x+ 7 rowland domain users 4096 Nov 29 17:27 .cache
drwxrwxr-x+ 12 rowland domain users 4096 Nov 29 17:26 .config
drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Desktop
drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Documents
drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Downloads
drwxrwxr-x+ 3 rowland domain users 4096 Nov 29 17:27 .linuxmint
drwxrwxr-x+ 4 rowland domain users 4096 Nov 29 17:26 .local
drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Music
drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Pictures
drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Public
drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Templates
drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Videos
-rwxrwxr-x+ 1 rowland domain users 53 Nov 29 17:26 .Xauthority
-rwxrwxr-x+ 1 rowland domain users 171747 Nov 29 17:27 .xsession-errors
>
> If there are different interpretations of the %{USER} and
> %{DOMAIN_USER } parameters between different distributions, that
> would be really bad. But it wouldn't surprise me.
I think the difference is that '%(USER)' is 'rowland' and
'%(DOMAIN_USER)' is 'SAMDOM\rowland'
>
> I'm going to try it out with a PC running Archlinux. Archlinux is
> sometimes deviating in quite unexpected (and incomprehensible)
> directions, which could make it a challenge. Personally, I like
> Archlinux for mostly being in the absolute fore front line of Linux
> development, but if I put on my sysadmin hat, it's a walk through a
> mine field.
I think that getting it to work on Arch will be interesting, but I am
not a fan of Arch, such a good distro, but not the easiest to install.
>
> Anyway, it's nice to get to know that you took interest, and that you
> confirmed the viability of the concept in a completely independent
> domain.
I tried to get something like this to work a couple of years ago and
couldn't, the directory wouldn't mount on /home, but I did come up with
a setup that mounted the directory into /srv and rsynced the two, a bit
of a kludge to be honest, you got there and pointed the way ;-)
>
> I wish you a nice weekend.
>
At my age, every weekend is a good one.
Rowland
More information about the samba
mailing list