[Samba] Linux desktop setup with authentication against Samba AD DC

Peter Milesson miles at atmos.eu
Sat Nov 30 16:14:24 UTC 2024 



On 29.11.2024 21:40, Rowland Penny via samba wrote:
> On Fri, 29 Nov 2024 20:50:21 +0100
> Peter Milesson <miles at atmos.eu> wrote:
>
>> On 11/29/24 20:07, Rowland Penny via samba wrote:
>>> On Fri, 29 Nov 2024 12:07:45 +0100
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>>> Hi Peter, that was actually more than what I was expecting, a very
>>>>> detailed tutorial indeed.
>>>>>
>>>>> I wonder if the basic setup could be used with any Linux distro ?
>>>>> Only one way to find out, try it, so I am off to install LMDE6 in
>>>>> a VM :-)
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> Hi Rowland,
>>>>
>>>> I have tried it in a VM also. Works without any problems. I'm going
>>>> to try it in a decommissioned, 7 year old workstation with
>>>> completely different hardware in a few moments.
>>>>
>>>> Good luck,
>>>>
>>>> Peter
>>>>
>>> OK, I have got it work with an LMDE6 install, but not with Peter's
>>> 'volume' pam_mount.conf.xml setting, I had to use:
>>>
>>> <volume fstype="cifs"
>>>           server="cm4nas.samdom.example.com"
>>>           path="users"
>>>           mountpoint="/home/SAMDOM/%(USER)"
>>>           options="user=%(USER),cruid=%(USER),sec=krb5"
>>> />
>>>
>>> Rowland
>>>
>>>
>>>
>> Hi Rowland,
>>
>> As I stated in my (maybe too voluminous) description, the setup may
>> not be applicable to other distributions out of the box, which I
>> naturally did not expect. I have been using completely up to date
>> Debian Bookworm setups, and everything I made has been reproducible
>> (physical PC, VM, Windows server, Samba server).
>  From my understanding, LMDE6 is basically Debian 12 with the Cinnamon
> desktop slapped on top of it, a bit like the Raspberry pi OS. This is
> one reason I used it.
>
>> I got stuck with %{USER}, and then studied the Ubuntu man pages of
>> libpam-mount in great detail. I sifted through lots of pages about
>> pam_mount, and it seems that the options "nosuid,nodev" are more or
>> less mandatory. The "mfsymlinks,nobrl,vers=3.0" also seem to be
>> important. Are you using /home/SAMDOM/%D/%U  as template homedir in
>> your smb.conf?
> I used your 'volume' setup verbatim but it didn't work for me, so I
> tried one I had used previously and it worked.
>
> This is the users directory on the 'NAS' (in reality, an rpi CM4
> running bookworm) before the mount on the client:
>
> adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
> total 8
> drwx------ 2 rowland root 4096 Nov 29 16:33 .
> drwxr-xr-x 4 root    root 4096 Nov 23 14:35 ..
>
> and this it again after the mount:
>
> adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
> total 284
> drwx------  14 rowland root           4096 Nov 29 17:27 .
> drwxr-xr-x   4 root    root           4096 Nov 23 14:35 ..
> drwxrwxr-x+  7 rowland domain users   4096 Nov 29 17:27 .cache
> drwxrwxr-x+ 12 rowland domain users   4096 Nov 29 17:26 .config
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Desktop
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Documents
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Downloads
> drwxrwxr-x+  3 rowland domain users   4096 Nov 29 17:27 .linuxmint
> drwxrwxr-x+  4 rowland domain users   4096 Nov 29 17:26 .local
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Music
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Pictures
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Public
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Templates
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Videos
> -rwxrwxr-x+  1 rowland domain users     53 Nov 29 17:26 .Xauthority
> -rwxrwxr-x+  1 rowland domain users 171747 Nov 29 17:27 .xsession-errors
>
>> If there are different interpretations of the %{USER} and
>> %{DOMAIN_USER } parameters between different distributions, that
>> would be really bad. But it wouldn't surprise me.
> I think the difference is that '%(USER)' is 'rowland' and
> '%(DOMAIN_USER)' is 'SAMDOM\rowland'
>
>> I'm going to try it out with a PC running Archlinux. Archlinux is
>> sometimes deviating in quite unexpected (and incomprehensible)
>> directions, which could make it a challenge. Personally, I like
>> Archlinux for mostly being in the absolute fore front line of Linux
>> development, but if I put on my sysadmin hat, it's a walk through a
>> mine field.
> I think that getting it to work on Arch will be interesting, but I am
> not a fan of Arch, such a good distro, but not the easiest to install.
>
>> Anyway, it's nice to get to know that you took interest, and that you
>> confirmed the viability of the concept in a completely independent
>> domain.
> I tried to get something like this to work a couple of years ago and
> couldn't, the directory wouldn't mount on /home, but I did come up with
> a setup that mounted the directory into /srv and rsynced the two, a bit
> of a kludge to be honest, you got there and pointed the way ;-)
>   
>> I wish you a nice weekend.
>>
> At my age, every weekend is a good one.
>
> Rowland
>   
>
Hi Rowland,

I got it working under Archlinux also. Most of the work was looking up 
how to configure PAM with the pam_winbind and pam_krb5 modules. Not very 
well documented.

There is a Wiki page about setting up AD integration, but it would imply 
moving the Kerberos cache file, which would break everything dependent 
on Kerberos tickets.

Best regards,

Peter

More information about the samba mailing list