Peter Milesson
2024-Dec-02 09:29 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
On 12/2/24 10:07, Rowland Penny via samba wrote:> On Sun, 1 Dec 2024 15:30:46 +0100 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> >> >> On 01.12.2024 15:14, Rowland Penny via samba wrote: >>> On Sat, 30 Nov 2024 19:23:26 +0000 >>> Rowland Penny via samba <samba at lists.samba.org> wrote: >>> >>>> On Sat, 30 Nov 2024 19:03:04 +0100 >>>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>>> >>>>> Hi Rowland, >>>>> >>>>> I haven't a deep knowledge of what packages are sufficient, and >>>>> which ones are superfluous. I will test the setup without >>>>> libpam-krb5. >>>>> >>>>> About the wiki page, it's Archlinux' AD integration page on >>>>> https://wiki.archlinux.org/title/Active_Directory_integration. I >>>>> really didn't follow it, and used what I set up on Debian instead. >>>>> The Archlinux pam_winbind.conf example will probably break most >>>>> kerberized applications, as the place of the Kerberos ticket cache >>>>> is non standard. It would be necessary to configure all >>>>> applications using cached Kerberos tickets in that case. Even >>>>> Archlinux puts the Kerberos ticket cache in /tmp default. >>>>> Defaults are there for some reason... >>>> Based on what I have been using on Debian for quite some time, I >>>> cannot recommend following the Arch Linux wiki page, there are just >>>> too many apparent problems. >>>> >>>> I was going to attempt to use Rocky Linux 9 as client, but >>>> pam_mount appears to be only available from EPEL and I cannot >>>> easily find hxtools. It appears that redhat is moving away from >>>> the desktop and concentrating on servers. >>>> >>>> Rowland >>>> >>>> >>> Well, the next test was a failure, not in the mount, but in >>> usability. Attempting to mount the users desktop on a Debian 12 >>> Unix domain member with the MATE DE worked up to a point. It mounts >>> the directory, but mate-panel keeps segfaulting, the two panels >>> keep disappearing and reappearing, and trying to click on anything >>> on the panels (when they are visible) is futile. >>> >>> Lets try the gnome desktop. >>> >>> Rowland >>> >>> >> Hi Rowland, >> >> The LXDE desktop works 100%. I haven't used the Mate desktop for many >> years, compiled it for Slackware 14.2 the last time, and what I >> remember, it was not straight sailing, but worked in the end. I'm not >> a great friend of Gnome, so I let be. Maybe I will try KDE, but >> that's not a priority. I will however, try LXQt. I use Qt Creator for >> programming, so most of the Qt base packages should already be there. >> >> Good luck with Gnome! >> >> Peter > So, it works with Gnome. > It appears that, provided all the required packages can be installed, > it will probably work on any distro, I cannot test them all ;-) > > Rowland > > >Oh, c'mon Rowland (^_^) I'm going to start duplicating from a master image. Let's see what surprises I get from UEFI... Peter
Kris Lou
2024-Dec-02 17:18 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
Late to the party (Holiday weekend stateside), but been following. Thanks for doing this -- I did something similar a long time ago with some rpi4's, using a mix of Openbox, Fluxbox, and SSSD (auth only, local profiles only). But it was somewhat fragile. It's been on my todo for quite a while to convert a number of clients to a more out-of-box Debian, so it's good to see an implementation with more modern tooling. Kris Lou klou at themusiclink.net On Mon, Dec 2, 2024 at 1:30?AM Peter Milesson via samba < samba at lists.samba.org> wrote:> > On 12/2/24 10:07, Rowland Penny via samba wrote: > > On Sun, 1 Dec 2024 15:30:46 +0100 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> > >> > >> On 01.12.2024 15:14, Rowland Penny via samba wrote: > >>> On Sat, 30 Nov 2024 19:23:26 +0000 > >>> Rowland Penny via samba <samba at lists.samba.org> wrote: > >>> > >>>> On Sat, 30 Nov 2024 19:03:04 +0100 > >>>> Peter Milesson via samba <samba at lists.samba.org> wrote: > >>>> > >>>>> Hi Rowland, > >>>>> > >>>>> I haven't a deep knowledge of what packages are sufficient, and > >>>>> which ones are superfluous. I will test the setup without > >>>>> libpam-krb5. > >>>>> > >>>>> About the wiki page, it's Archlinux' AD integration page on > >>>>> https://wiki.archlinux.org/title/Active_Directory_integration. I > >>>>> really didn't follow it, and used what I set up on Debian instead. > >>>>> The Archlinux pam_winbind.conf example will probably break most > >>>>> kerberized applications, as the place of the Kerberos ticket cache > >>>>> is non standard. It would be necessary to configure all > >>>>> applications using cached Kerberos tickets in that case. Even > >>>>> Archlinux puts the Kerberos ticket cache in /tmp default. > >>>>> Defaults are there for some reason... > >>>> Based on what I have been using on Debian for quite some time, I > >>>> cannot recommend following the Arch Linux wiki page, there are just > >>>> too many apparent problems. > >>>> > >>>> I was going to attempt to use Rocky Linux 9 as client, but > >>>> pam_mount appears to be only available from EPEL and I cannot > >>>> easily find hxtools. It appears that redhat is moving away from > >>>> the desktop and concentrating on servers. > >>>> > >>>> Rowland > >>>> > >>>> > >>> Well, the next test was a failure, not in the mount, but in > >>> usability. Attempting to mount the users desktop on a Debian 12 > >>> Unix domain member with the MATE DE worked up to a point. It mounts > >>> the directory, but mate-panel keeps segfaulting, the two panels > >>> keep disappearing and reappearing, and trying to click on anything > >>> on the panels (when they are visible) is futile. > >>> > >>> Lets try the gnome desktop. > >>> > >>> Rowland > >>> > >>> > >> Hi Rowland, > >> > >> The LXDE desktop works 100%. I haven't used the Mate desktop for many > >> years, compiled it for Slackware 14.2 the last time, and what I > >> remember, it was not straight sailing, but worked in the end. I'm not > >> a great friend of Gnome, so I let be. Maybe I will try KDE, but > >> that's not a priority. I will however, try LXQt. I use Qt Creator for > >> programming, so most of the Qt base packages should already be there. > >> > >> Good luck with Gnome! > >> > >> Peter > > So, it works with Gnome. > > It appears that, provided all the required packages can be installed, > > it will probably work on any distro, I cannot test them all ;-) > > > > Rowland > > > > > > > Oh, c'mon Rowland (^_^) > > I'm going to start duplicating from a master image. Let's see what > surprises I get from UEFI... > > Peter > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2024-Dec-03 16:22 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
On Mon, 2 Dec 2024 10:29:22 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> >> > >> Peter > > So, it works with Gnome. > > It appears that, provided all the required packages can be > > installed, it will probably work on any distro, I cannot test them > > all ;-) > > > > Rowland > > > > > > > Oh, c'mon Rowland (^_^) > > I'm going to start duplicating from a master image. Let's see what > surprises I get from UEFI... > > PeterI looked into Rocky Linux a bit further and found a repo for hxtools and set pam_mount up on Rocky and it works, just like on Debian. To date, I have working examples on Debian Gnome, XCFE and MATE. However the MATE version has problems with the panels, they keep segfaulting but the user gets logged in and the home directory share is mounted, so it looks like pam-mount is working. I have also have working examples on LMDE6 with the Cinnamon desktop and on Rocky Linux 9 with the Gnome desktop. It appears that you just need 3 things: A Samba AD DC to create users on. A Samba Unix domain member to share the users home directory from. A Samba Unix domain member to act as the client, with pam_mount, hxtools and cifs-utils installed and configured correctly. The only real downside I can see is, because of the various different configuration files that the different desktops use, it is very probably limited to one desktop per domain. Rowland
Possibly Parallel Threads
- Linux desktop setup with authentication against Samba AD DC
- Linux desktop setup with authentication against Samba AD DC
- Linux desktop setup with authentication against Samba AD DC
- Linux desktop setup with authentication against Samba AD DC
- Linux desktop setup with authentication against Samba AD DC