samba - Nov 2024 - Linux desktop setup with authentication against Samba AD DC

On Fri, 29 Nov 2024 20:50:21 +0100
Peter Milesson <miles at atmos.eu> wrote:
> 
> On 11/29/24 20:07, Rowland Penny via samba wrote:
> > On Fri, 29 Nov 2024 12:07:45 +0100
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>> Hi Peter, that was actually more than what I was expecting, a
very
> >>> detailed tutorial indeed.
> >>>
> >>> I wonder if the basic setup could be used with any Linux
distro ?
> >>> Only one way to find out, try it, so I am off to install LMDE6
in
> >>> a VM :-)
> >>>
> >>> Rowland
> >>>
> >>>
> >> Hi Rowland,
> >>
> >> I have tried it in a VM also. Works without any problems. I'm
going
> >> to try it in a decommissioned, 7 year old workstation with
> >> completely different hardware in a few moments.
> >>
> >> Good luck,
> >>
> >> Peter
> >>
> > OK, I have got it work with an LMDE6 install, but not with Peter's
> > 'volume' pam_mount.conf.xml setting, I had to use:
> >
> > <volume fstype="cifs"
> >          server="cm4nas.samdom.example.com"
> >          path="users"
> >          mountpoint="/home/SAMDOM/%(USER)"
> >          options="user=%(USER),cruid=%(USER),sec=krb5"
> > />
> >
> > Rowland
> >
> >
> >
> Hi Rowland,
> 
> As I stated in my (maybe too voluminous) description, the setup may
> not be applicable to other distributions out of the box, which I
> naturally did not expect. I have been using completely up to date
> Debian Bookworm setups, and everything I made has been reproducible
> (physical PC, VM, Windows server, Samba server).
From my understanding, LMDE6 is basically Debian 12 with the Cinnamon
desktop slapped on top of it, a bit like the Raspberry pi OS. This is
one reason I used it.
> 
> I got stuck with %{USER}, and then studied the Ubuntu man pages of 
> libpam-mount in great detail. I sifted through lots of pages about 
> pam_mount, and it seems that the options "nosuid,nodev" are more
or
> less mandatory. The "mfsymlinks,nobrl,vers=3.0" also seem to be
> important. Are you using /home/SAMDOM/%D/%U? as template homedir in
> your smb.conf?
I used your 'volume' setup verbatim but it didn't work for me, so I
tried one I had used previously and it worked.

This is the users directory on the 'NAS' (in reality, an rpi CM4
running bookworm) before the mount on the client:

adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
total 8
drwx------ 2 rowland root 4096 Nov 29 16:33 .
drwxr-xr-x 4 root    root 4096 Nov 23 14:35 ..

and this it again after the mount:

adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
total 284
drwx------  14 rowland root           4096 Nov 29 17:27 .
drwxr-xr-x   4 root    root           4096 Nov 23 14:35 ..
drwxrwxr-x+  7 rowland domain users   4096 Nov 29 17:27 .cache
drwxrwxr-x+ 12 rowland domain users   4096 Nov 29 17:26 .config
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Desktop
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Documents
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Downloads
drwxrwxr-x+  3 rowland domain users   4096 Nov 29 17:27 .linuxmint
drwxrwxr-x+  4 rowland domain users   4096 Nov 29 17:26 .local
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Music
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Pictures
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Public
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Templates
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Videos
-rwxrwxr-x+  1 rowland domain users     53 Nov 29 17:26 .Xauthority
-rwxrwxr-x+  1 rowland domain users 171747 Nov 29 17:27 .xsession-errors
> 
> If there are different interpretations of the %{USER} and
> %{DOMAIN_USER } parameters between different distributions, that
> would be really bad. But it wouldn't surprise me.
I think the difference is that '%(USER)' is 'rowland' and
'%(DOMAIN_USER)' is 'SAMDOM\rowland'
> 
> I'm going to try it out with a PC running Archlinux. Archlinux is 
> sometimes deviating in quite unexpected (and incomprehensible) 
> directions, which could make it a challenge. Personally, I like 
> Archlinux for mostly being in the absolute fore front line of Linux 
> development, but if I put on my sysadmin hat, it's a walk through a
> mine field.
I think that getting it to work on Arch will be interesting, but I am
not a fan of Arch, such a good distro, but not the easiest to install.
> 
> Anyway, it's nice to get to know that you took interest, and that you 
> confirmed the viability of the concept in a completely independent
> domain.
I tried to get something like this to work a couple of years ago and
couldn't, the directory wouldn't mount on /home, but I did come up with
a setup that mounted the directory into /srv and rsynced the two, a bit
of a kludge to be honest, you got there and pointed the way ;-)
 
> 
> I wish you a nice weekend.
>
At my age, every weekend is a good one.

Rowland

On 29.11.2024 21:40, Rowland Penny via samba wrote:
> On Fri, 29 Nov 2024 20:50:21 +0100
> Peter Milesson <miles at atmos.eu> wrote:
>
>> On 11/29/24 20:07, Rowland Penny via samba wrote:
>>> On Fri, 29 Nov 2024 12:07:45 +0100
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>>> Hi Peter, that was actually more than what I was expecting,
a very
>>>>> detailed tutorial indeed.
>>>>>
>>>>> I wonder if the basic setup could be used with any Linux
distro ?
>>>>> Only one way to find out, try it, so I am off to install
LMDE6 in
>>>>> a VM :-)
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> Hi Rowland,
>>>>
>>>> I have tried it in a VM also. Works without any problems.
I'm going
>>>> to try it in a decommissioned, 7 year old workstation with
>>>> completely different hardware in a few moments.
>>>>
>>>> Good luck,
>>>>
>>>> Peter
>>>>
>>> OK, I have got it work with an LMDE6 install, but not with
Peter's
>>> 'volume' pam_mount.conf.xml setting, I had to use:
>>>
>>> <volume fstype="cifs"
>>>           server="cm4nas.samdom.example.com"
>>>           path="users"
>>>           mountpoint="/home/SAMDOM/%(USER)"
>>>           options="user=%(USER),cruid=%(USER),sec=krb5"
>>> />
>>>
>>> Rowland
>>>
>>>
>>>
>> Hi Rowland,
>>
>> As I stated in my (maybe too voluminous) description, the setup may
>> not be applicable to other distributions out of the box, which I
>> naturally did not expect. I have been using completely up to date
>> Debian Bookworm setups, and everything I made has been reproducible
>> (physical PC, VM, Windows server, Samba server).
>  From my understanding, LMDE6 is basically Debian 12 with the Cinnamon
> desktop slapped on top of it, a bit like the Raspberry pi OS. This is
> one reason I used it.
>
>> I got stuck with %{USER}, and then studied the Ubuntu man pages of
>> libpam-mount in great detail. I sifted through lots of pages about
>> pam_mount, and it seems that the options "nosuid,nodev" are
more or
>> less mandatory. The "mfsymlinks,nobrl,vers=3.0" also seem to
be
>> important. Are you using /home/SAMDOM/%D/%U? as template homedir in
>> your smb.conf?
> I used your 'volume' setup verbatim but it didn't work for me,
so I
> tried one I had used previously and it worked.
>
> This is the users directory on the 'NAS' (in reality, an rpi CM4
> running bookworm) before the mount on the client:
>
> adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
> total 8
> drwx------ 2 rowland root 4096 Nov 29 16:33 .
> drwxr-xr-x 4 root    root 4096 Nov 23 14:35 ..
>
> and this it again after the mount:
>
> adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
> total 284
> drwx------  14 rowland root           4096 Nov 29 17:27 .
> drwxr-xr-x   4 root    root           4096 Nov 23 14:35 ..
> drwxrwxr-x+  7 rowland domain users   4096 Nov 29 17:27 .cache
> drwxrwxr-x+ 12 rowland domain users   4096 Nov 29 17:26 .config
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Desktop
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Documents
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Downloads
> drwxrwxr-x+  3 rowland domain users   4096 Nov 29 17:27 .linuxmint
> drwxrwxr-x+  4 rowland domain users   4096 Nov 29 17:26 .local
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Music
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Pictures
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Public
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Templates
> drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Videos
> -rwxrwxr-x+  1 rowland domain users     53 Nov 29 17:26 .Xauthority
> -rwxrwxr-x+  1 rowland domain users 171747 Nov 29 17:27 .xsession-errors
>
>> If there are different interpretations of the %{USER} and
>> %{DOMAIN_USER } parameters between different distributions, that
>> would be really bad. But it wouldn't surprise me.
> I think the difference is that '%(USER)' is 'rowland' and
> '%(DOMAIN_USER)' is 'SAMDOM\rowland'
>
>> I'm going to try it out with a PC running Archlinux. Archlinux is
>> sometimes deviating in quite unexpected (and incomprehensible)
>> directions, which could make it a challenge. Personally, I like
>> Archlinux for mostly being in the absolute fore front line of Linux
>> development, but if I put on my sysadmin hat, it's a walk through a
>> mine field.
> I think that getting it to work on Arch will be interesting, but I am
> not a fan of Arch, such a good distro, but not the easiest to install.
>
>> Anyway, it's nice to get to know that you took interest, and that
you
>> confirmed the viability of the concept in a completely independent
>> domain.
> I tried to get something like this to work a couple of years ago and
> couldn't, the directory wouldn't mount on /home, but I did come up
with
> a setup that mounted the directory into /srv and rsynced the two, a bit
> of a kludge to be honest, you got there and pointed the way ;-)
>   
>> I wish you a nice weekend.
>>
> At my age, every weekend is a good one.
>
> Rowland
>   
>
Hi Rowland,

I got it working under Archlinux also. Most of the work was looking up 
how to configure PAM with the pam_winbind and pam_krb5 modules. Not very 
well documented.

There is a Wiki page about setting up AD integration, but it would imply 
moving the Kerberos cache file, which would break everything dependent 
on Kerberos tickets.

Best regards,

Peter