samba - Feb 2019 - Mount AD home directory and login on Ubuntu Workstations

Hi,
In a school environment, I have a server (NEWTON) that acts as AD DC
(domain DIDATTICA) and another one (EULER) that acts as File Server (Domain
Member of DIDATTICA).
Both of them have Ubuntu Server 16.04.5 LTS and Samba 4.9.1. (At the bottom
I attached their smb.conf).
The users are divided in groups: students, teachers, admin. Each user has a
"home directory" where can save his files. Teachers must be able to
acces
students directory, Admins must be able to access teachers and students
directory. I have created a share (on EULER) for every group and I have set
Windows ACL to give right access, as in the wiki (In each share there are
all the personal folders of the user of that group.).
In ADUC I have set Home Folder: connect to H: and the path (e.g.
\\euler\studenti\john.smith).

On Windows workstation, everything works fine. Users login and in found
their personal folder on H: .
On Ubuntu Desktop 18.04 workstation (member domains), how can I set up
automatic mount of those folders (with an eventually dekstop shortcut)? How
can I set up gnome login using domain credentials, without save changes to
home folder on logout (like ghost user)?

Thanks,
Giovanni


###################### NEWTON smb.conf #######################
########################## AD DC #############################
[global]
        dns forwarder = 10.54.0.254
        netbios name = NEWTON
        realm = DIDATTICA.FERMI
        server role = active directory domain controller
        workgroup = DIDATTICA
        idmap_ldb:use rfc2307 = yes
        ldap server require strong auth = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/didattica.fermi/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
###############################################################

######################## EULER smb.conf ########################
########################## File Server ###########################
[global]
        workgroup = DIDATTICA
        realm = DIDATTICA.FERMI
        netbios name = euler
        security = ADS
        log file = /var/log/samba/%m.log
        log level = 1
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config DIDATTICA : unix_nss_info = yes
        idmap config DIDATTICA : unix_primary_group = yes
        idmap config DIDATTICA : backend = ad
        idmap config DIDATTICA : range = 20000-100000
        idmap config DIDATTICA : schema_mode = rfc2307
        username map = /usr/local/samba/etc/user.map
        template homedir = /home/%D/%U
        template shell = /bin/bash
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes
[Studenti]
       path = /srv/samba/studenti/
       read only = no
[Docenti]
       path = /srv/samba/docenti/
       read only = no
[Classi]
       path = /srv/samba/classi/
       read only = no
[Varie]
       path = /srv/samba/varie/
       read only = no
[Admins]
       path = /srv/samba/admins/
       read only = no
###############################################################

Mandi! Giovanni Caini via samba
  In chel di` si favelave...

[Giovanni, se vuoi c'è anche la lista 'samba-it'...]
> On Ubuntu Desktop 18.04 workstation (member domains), how can I set up
> automatic mount of those folders (with an eventually dekstop shortcut)?
> How can I set up gnome login using domain credentials
Basically:

a) use winbind as a NSS provider; tipycally you have to setup a basic
 smb.conf as a member server, join the domain and stop. Yiou don't need
'samba', eg:
	apt-get install winbind libnss-winbind libpam-winbind
suffices.

b) you can use winbind as PAM provider (typically, in debian/ubuntu you
 get configured automagically with a).

c) you can configure kerberos as PAM provider, tipically this involve:
	apt-get install libpam-krb5 krb5-config
 and reply with the correct kerberos domain to the answer.

d) you can use 'pam_mount' to mount homes (and other shares) with CIFS:
	apt-get install libpam-mount cifs-utils
you have to configure '/etc/security/pam_mount.conf.xml'.

>, without save changes to home folder on logout (like ghost user)?
This involve i think something like 'pam_mkhomedir' and a bit of
scripting.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)