samba - Nov 2024 - Linux desktop setup with authentication against Samba AD DC

On 13.11.2024 21:14, Peter Milesson via samba wrote:
> Hi folks,
>
> I'm figuring to setup a few Linux desktops with LXDM as display 
> manager, and with authentication against a Samba AD DC. After 
> successful authentication, I want the authenticated user's profile to 
> be downloaded, or preferably mapped, from a SMB server (Linux, 
> Windows, NAS, ...), to the local Linux PC. I intend to use Debian 
> Bookworm, with Archlinux as a secondary alternative (too bleeding edge 
> for my taste, as updates not seldom break the installation).
>
> Essentially I want a similar experience as Windows with redirected 
> folders, or roaming profiles. The intended use is a lightweight 
> desktop for occasional users sharing PCs, where full blown Windows 
> desktops are not economically justifiable (hardware and licensing costs).
>
> Previously (many years ago) I made a setup based on NFS, but that's a 
> path I want to avoid, unless there is no other viable alternative. 
> That setup was based on the display manager Slim, which I had to tweak 
> to some extent. As Slim is ancient, and with no development for ages, 
> it's not an option.
>
> I guess the hardest part is setting up LXDM to authenticate against 
> the Samba AD DC. There may be other display managers, that better suit 
> the requirements. I have got little experience with alternatives, and 
> I'm completely open for suggestions.
>
> If somebody have got any experience with something similar, I would be 
> grateful to get some thoughts and ideas.
>
> Best regards,
>
> Peter
>
>
Hi folks,

I did some authentication testing, and it seems that the display manager 
uses pam_winbind for authentication, as does ssh. So far, so good.

Now remains the problem of mapping a Samba share as the user's home 
directory.

Is there somebody having any input on this?

Best regards,

Peter

On Thursday, November 14th, 2024 at 07:48, Peter Milesson via samba <samba at
lists.samba.org> wrote:
> 
> 
> On 13.11.2024 21:14, Peter Milesson via samba wrote:
> 
> > Hi folks,
> > 
> > I'm figuring to setup a few Linux desktops with LXDM as display
> > manager, and with authentication against a Samba AD DC. After
> > successful authentication, I want the authenticated user's profile
to
> > be downloaded, or preferably mapped, from a SMB server (Linux,
> > Windows, NAS, ...), to the local Linux PC. I intend to use Debian
> > Bookworm, with Archlinux as a secondary alternative (too bleeding edge
> > for my taste, as updates not seldom break the installation).
> > 
> > Essentially I want a similar experience as Windows with redirected
> > folders, or roaming profiles. The intended use is a lightweight
> > desktop for occasional users sharing PCs, where full blown Windows
> > desktops are not economically justifiable (hardware and licensing
costs).
> > 
> > Previously (many years ago) I made a setup based on NFS, but
that's a
> > path I want to avoid, unless there is no other viable alternative.
> > That setup was based on the display manager Slim, which I had to tweak
> > to some extent. As Slim is ancient, and with no development for ages,
> > it's not an option.
> > 
> > I guess the hardest part is setting up LXDM to authenticate against
> > the Samba AD DC. There may be other display managers, that better suit
> > the requirements. I have got little experience with alternatives, and
> > I'm completely open for suggestions.
> > 
> > If somebody have got any experience with something similar, I would be
> > grateful to get some thoughts and ideas.
> > 
> > Best regards,
> > 
> > Peter
> 
> Hi folks,
> 
> I did some authentication testing, and it seems that the display manager
> uses pam_winbind for authentication, as does ssh. So far, so good.
> 
> Now remains the problem of mapping a Samba share as the user's home
> directory.
> 
> Is there somebody having any input on this?
> 
> Best regards,
> 
> Peter
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Hi!

I have stopped using roaming profiles a couple of years ago but I do use a home
drive share. The users of the network have a personal share in an smb share,
lets call it \\FILESERVER\USERS\%USERNAME% which in windows is mounted as the
personal home drive (P:) and the documents folder redirects to that drive, this
drive is also made available offline with windows CSC.

I'm using a linux workstation for myself in a network where all the client
workstations are windows and what I have done is to use pam_mount in combination
with pam_winbind and what I do is have pam_mount mount the SMB share on
$HOME/.Documents (the dot is not a typo) and with unison I synchronize
$HOME/.Documents and $HOME/Documents (the lack of the dot is not a typo). Unison
has this folder marked as removable. This way I use my documents folder and it
doesn't matter if I logged in being connected to my work's network or
not and when I am connected to the network I use unison to sync the local copy
of my Documents folder with my remote folder.

Logging in being away from my work's network takes a little longer because
of the timeouts when pam_mount is trying to mount network resources that are not
available but it works great. This setup doesn't cover the shared profile
requirement but I guess that with some tweaking it could be used to achieve
something like that.

Hope it helps.
Best regards,
Dave.