samba - Nov 2024 - Linux desktop setup with authentication against Samba AD DC

On Sun, 24 Nov 2024 20:35:17 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
> 
> YFYI, I've succeeded setting up something that seems workable.
> 
> When domain users log in on their Linux PCs, they get their
> /home/<user> folders mapped over CIFS from a Samba or Windows server.
> When they log out, the /home/<user> folder is unmounted and deleted,
> and their profile data remains on the server. The whole setup works
> similarly to redirected folders in a Windows server environment. The
> setup is intended for casual users that don't need a full blown
> Windows desktop with M$ 365 and everything else that follows. There
> are lots of capable desktop applications under Linux, that can
> replace their Windows counterparts, giving the users a nice full
> value experience. For companies using mainly web based applications,
> it's a dirt cheap solution. The hardware is really cheap, and it's
a
> snap to roll out new PCs with all basic settings. Using Samba Linux
> GPOs, it should be about the same administrative work for the
> administrator, as with Windows desktop PCs.
> 
> The setup is based on Debian Bookworm, the display manager is
> LightDM, and the desktop manager LXDE. Authentication is made with
> Kerberos to a Samba or Windows AD DC through PAM. PAM-mount is taking
> care of mapping the user folders from a share with Linux user
> profiles. The hardest bit was making PAM-mount unmounting and
> deleting the user folders on the Linux PC during the logout process.
> It needed some tweaking.
> 
> Best regards,
> 
> Peter
> 
> 
Care to tell us how you set this up ?
Also why LXDE ? Isn't it the DE that sort of refuses to die ?
From my understanding LXDE was replaced by LXQt, but, as is possible,
LXDE was forked and now gets intermittent updates.

Rowland

On 11/25/24 10:29, Rowland Penny via samba wrote:
> On Sun, 24 Nov 2024 20:35:17 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> YFYI, I've succeeded setting up something that seems workable.
>>
>> When domain users log in on their Linux PCs, they get their
>> /home/<user> folders mapped over CIFS from a Samba or Windows
server.
>> When they log out, the /home/<user> folder is unmounted and
deleted,
>> and their profile data remains on the server. The whole setup works
>> similarly to redirected folders in a Windows server environment. The
>> setup is intended for casual users that don't need a full blown
>> Windows desktop with M$ 365 and everything else that follows. There
>> are lots of capable desktop applications under Linux, that can
>> replace their Windows counterparts, giving the users a nice full
>> value experience. For companies using mainly web based applications,
>> it's a dirt cheap solution. The hardware is really cheap, and
it's a
>> snap to roll out new PCs with all basic settings. Using Samba Linux
>> GPOs, it should be about the same administrative work for the
>> administrator, as with Windows desktop PCs.
>>
>> The setup is based on Debian Bookworm, the display manager is
>> LightDM, and the desktop manager LXDE. Authentication is made with
>> Kerberos to a Samba or Windows AD DC through PAM. PAM-mount is taking
>> care of mapping the user folders from a share with Linux user
>> profiles. The hardest bit was making PAM-mount unmounting and
>> deleting the user folders on the Linux PC during the logout process.
>> It needed some tweaking.
>>
>> Best regards,
>>
>> Peter
>>
>>
> Care to tell us how you set this up ?
> Also why LXDE ? Isn't it the DE that sort of refuses to die ?
>  From my understanding LXDE was replaced by LXQt, but, as is possible,
> LXDE was forked and now gets intermittent updates.
>
> Rowland
>
Hi Rowland,

Of course I will share my experiences with the community. I will put it 
in a separate post (or posts), as it may be fairly extensive.

Best regards,

Peter

Hi folks,

On request, I will share my experiences of setting up a bunch of simple, 
cheap, Linux PCs with Kerberos authentication against a Samba/Windows AD 
DC, with centrally stored home folders, and central device management.

This post is part 1 of 2, and describes the setup in verbal terms (for 
those who are bureaucratically minded). The 2nd post will describe the 
setup in technical detail, with comments about different caveats. 
Hopefully the information will get some ideas spinning, and that it is 
useful for somebody.


*Background*
I need to replace about 15 old (stupid) terminals and give occasional 
access to a group of users, that previously had no access to any? IT 
resources in the company. Due to changing workplace requirements, new 
systems and processes, the new user group will need occasional access to 
internet and intranet resources, that do not require advanced 
applications. A web browser, e-mail client, and possibly elementary 
access to a word processor fulfills the requirements. Present users have 
access to company resources over remote desktop to Windows servers. For 
part of them, a complete Windows server desktop with all bells and 
whistles is total overkill. A part of the terminals are shared between 
users, while other are more or less used by a single user.

 From a sysadmin point of view, the current terminals allow now 
administration whatsoever. As a result, it is not possible to keep the 
hardware and OS up to date centrally. Users also frequently let the 
terminals powered on when leaving work, even through lengthy vacations. 
Though the power consumption is a small extra cost, it is a completely 
avoidable cost.

Furthermore, classic terminals do not offer any future proofing when it 
comes to new features and functionality, with hardening security more 
and more important. Also, the manufacturer gives access to firmware and 
OS updates during a limited time frame.


*Objective*
Efficient administration of simple PCs/terminals and users who require 
occasional access to internet and intranet services. The services should 
be limited in scope, and consist mainly of web browsing, e-mail 
communication, rudimentary document access, and possible access to 
Windows remote desktop through a RDP client.

  * User and device administration MUST be through Samba/Windows AD,
    with optional Linux GPOs

  * User authentication SHOULD use Kerberos (or future modern protocols)

  * The user home directories MUST be centrally stored on a server share
    for efficient backup

  * Profiles SHOULD not be left on the device after logout (security,
    integrity)

  * The solution MUST be possible to run on hardware with limited
    performance (old PCs, new mini-PCs)

  * The solution MUST be future proof when it comes to updates, security
    and new features and requirements (authentication, security
    hardware, peripherals, etc.)

  * The solution MUST allow for rapid deployment of new devices from a
    master disk image


*Solution*
The solution consists of the following parts:

  * Client PC with sufficient capabilities

  * Existing AD DC (Samba or Windows) for authentication (Kerberos) and
    user and device management

  * Existing domain joined file storage (Samba or Windows) with a share
    where the user home directories are stored

  * Current Linux distribution, with systemd and PAM

  * PAM modules for winbind, Kerberos and mount are mandatory

  * cifs-utils is mandatory, as mount.cifs is used to mount the user
    share from pam_mount

  * Reliable time synchronization (needed by Kerberos)

  * Samba on the client PC joined as member server to the domain

  * Display manager that stores the Kerberos tickets after successful
    login (for example LightDM)

  * Linux desktop according to personal preferences

  * Additional applications like web browsers, e-mail clients, word
    processors, PDF-viewers, etc.

/Comment/
winbind is used in the setup, forget about sss and FreeIPA


*Testing*
Two different PCs according to the specifications have been tested in 2 
different domains.

Domain 1: Samba AD domain (Debian Bookworm, Samba 4.21.1) with forest 
and domain levels 2016, user folders on a SMB share on a member server 
(Debian Bookworm, Samba 4.21.1)

Domain 2: Windows server AD (Windows 2022) with forest and domain levels 
2016, user folders on a SMB share on a Dell PowerStore (OS ver. 3.6.x.x)

In both cases the behavior was as expected after initial parameter 
tweaking (most notably pam_mount).


In post no. 2 the setup is described in technical detail.

Best regards,

Peter