bd730c5053df9efb
2024-Nov-14 15:51 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
On Thursday, November 14th, 2024 at 07:48, Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 13.11.2024 21:14, Peter Milesson via samba wrote: > > > Hi folks, > > > > I'm figuring to setup a few Linux desktops with LXDM as display > > manager, and with authentication against a Samba AD DC. After > > successful authentication, I want the authenticated user's profile to > > be downloaded, or preferably mapped, from a SMB server (Linux, > > Windows, NAS, ...), to the local Linux PC. I intend to use Debian > > Bookworm, with Archlinux as a secondary alternative (too bleeding edge > > for my taste, as updates not seldom break the installation). > > > > Essentially I want a similar experience as Windows with redirected > > folders, or roaming profiles. The intended use is a lightweight > > desktop for occasional users sharing PCs, where full blown Windows > > desktops are not economically justifiable (hardware and licensing costs). > > > > Previously (many years ago) I made a setup based on NFS, but that's a > > path I want to avoid, unless there is no other viable alternative. > > That setup was based on the display manager Slim, which I had to tweak > > to some extent. As Slim is ancient, and with no development for ages, > > it's not an option. > > > > I guess the hardest part is setting up LXDM to authenticate against > > the Samba AD DC. There may be other display managers, that better suit > > the requirements. I have got little experience with alternatives, and > > I'm completely open for suggestions. > > > > If somebody have got any experience with something similar, I would be > > grateful to get some thoughts and ideas. > > > > Best regards, > > > > Peter > > Hi folks, > > I did some authentication testing, and it seems that the display manager > uses pam_winbind for authentication, as does ssh. So far, so good. > > Now remains the problem of mapping a Samba share as the user's home > directory. > > Is there somebody having any input on this? > > Best regards, > > Peter > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaHi! I have stopped using roaming profiles a couple of years ago but I do use a home drive share. The users of the network have a personal share in an smb share, lets call it \\FILESERVER\USERS\%USERNAME% which in windows is mounted as the personal home drive (P:) and the documents folder redirects to that drive, this drive is also made available offline with windows CSC. I'm using a linux workstation for myself in a network where all the client workstations are windows and what I have done is to use pam_mount in combination with pam_winbind and what I do is have pam_mount mount the SMB share on $HOME/.Documents (the dot is not a typo) and with unison I synchronize $HOME/.Documents and $HOME/Documents (the lack of the dot is not a typo). Unison has this folder marked as removable. This way I use my documents folder and it doesn't matter if I logged in being connected to my work's network or not and when I am connected to the network I use unison to sync the local copy of my Documents folder with my remote folder. Logging in being away from my work's network takes a little longer because of the timeouts when pam_mount is trying to mount network resources that are not available but it works great. This setup doesn't cover the shared profile requirement but I guess that with some tweaking it could be used to achieve something like that. Hope it helps. Best regards, Dave.
Peter Milesson
2024-Nov-14 16:24 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
On 14.11.2024 16:51, bd730c5053df9efb wrote:> On Thursday, November 14th, 2024 at 07:48, Peter Milesson via samba <samba at lists.samba.org> wrote: > >> >> On 13.11.2024 21:14, Peter Milesson via samba wrote: >> >>> Hi folks, >>> >>> I'm figuring to setup a few Linux desktops with LXDM as display >>> manager, and with authentication against a Samba AD DC. After >>> successful authentication, I want the authenticated user's profile to >>> be downloaded, or preferably mapped, from a SMB server (Linux, >>> Windows, NAS, ...), to the local Linux PC. I intend to use Debian >>> Bookworm, with Archlinux as a secondary alternative (too bleeding edge >>> for my taste, as updates not seldom break the installation). >>> >>> Essentially I want a similar experience as Windows with redirected >>> folders, or roaming profiles. The intended use is a lightweight >>> desktop for occasional users sharing PCs, where full blown Windows >>> desktops are not economically justifiable (hardware and licensing costs). >>> >>> Previously (many years ago) I made a setup based on NFS, but that's a >>> path I want to avoid, unless there is no other viable alternative. >>> That setup was based on the display manager Slim, which I had to tweak >>> to some extent. As Slim is ancient, and with no development for ages, >>> it's not an option. >>> >>> I guess the hardest part is setting up LXDM to authenticate against >>> the Samba AD DC. There may be other display managers, that better suit >>> the requirements. I have got little experience with alternatives, and >>> I'm completely open for suggestions. >>> >>> If somebody have got any experience with something similar, I would be >>> grateful to get some thoughts and ideas. >>> >>> Best regards, >>> >>> Peter >> Hi folks, >> >> I did some authentication testing, and it seems that the display manager >> uses pam_winbind for authentication, as does ssh. So far, so good. >> >> Now remains the problem of mapping a Samba share as the user's home >> directory. >> >> Is there somebody having any input on this? >> >> Best regards, >> >> Peter >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > Hi! > > I have stopped using roaming profiles a couple of years ago but I do use a home drive share. The users of the network have a personal share in an smb share, lets call it \\FILESERVER\USERS\%USERNAME% which in windows is mounted as the personal home drive (P:) and the documents folder redirects to that drive, this drive is also made available offline with windows CSC. > > I'm using a linux workstation for myself in a network where all the client workstations are windows and what I have done is to use pam_mount in combination with pam_winbind and what I do is have pam_mount mount the SMB share on $HOME/.Documents (the dot is not a typo) and with unison I synchronize $HOME/.Documents and $HOME/Documents (the lack of the dot is not a typo). Unison has this folder marked as removable. This way I use my documents folder and it doesn't matter if I logged in being connected to my work's network or not and when I am connected to the network I use unison to sync the local copy of my Documents folder with my remote folder. > > Logging in being away from my work's network takes a little longer because of the timeouts when pam_mount is trying to mount network resources that are not available but it works great. This setup doesn't cover the shared profile requirement but I guess that with some tweaking it could be used to achieve something like that. > > Hope it helps. > Best regards, > Dave. >Hi Dave, Thanks for you input. I will have a look at it and report back. Best regards, Peter