samba - Nov 2024 - Linux desktop setup with authentication against Samba AD DC

On 14.11.2024 16:51, bd730c5053df9efb wrote:
> On Thursday, November 14th, 2024 at 07:48, Peter Milesson via samba
<samba at lists.samba.org> wrote:
>
>>
>> On 13.11.2024 21:14, Peter Milesson via samba wrote:
>>
>>> Hi folks,
>>>
>>> I'm figuring to setup a few Linux desktops with LXDM as display
>>> manager, and with authentication against a Samba AD DC. After
>>> successful authentication, I want the authenticated user's
profile to
>>> be downloaded, or preferably mapped, from a SMB server (Linux,
>>> Windows, NAS, ...), to the local Linux PC. I intend to use Debian
>>> Bookworm, with Archlinux as a secondary alternative (too bleeding
edge
>>> for my taste, as updates not seldom break the installation).
>>>
>>> Essentially I want a similar experience as Windows with redirected
>>> folders, or roaming profiles. The intended use is a lightweight
>>> desktop for occasional users sharing PCs, where full blown Windows
>>> desktops are not economically justifiable (hardware and licensing
costs).
>>>
>>> Previously (many years ago) I made a setup based on NFS, but
that's a
>>> path I want to avoid, unless there is no other viable alternative.
>>> That setup was based on the display manager Slim, which I had to
tweak
>>> to some extent. As Slim is ancient, and with no development for
ages,
>>> it's not an option.
>>>
>>> I guess the hardest part is setting up LXDM to authenticate against
>>> the Samba AD DC. There may be other display managers, that better
suit
>>> the requirements. I have got little experience with alternatives,
and
>>> I'm completely open for suggestions.
>>>
>>> If somebody have got any experience with something similar, I would
be
>>> grateful to get some thoughts and ideas.
>>>
>>> Best regards,
>>>
>>> Peter
>> Hi folks,
>>
>> I did some authentication testing, and it seems that the display
manager
>> uses pam_winbind for authentication, as does ssh. So far, so good.
>>
>> Now remains the problem of mapping a Samba share as the user's home
>> directory.
>>
>> Is there somebody having any input on this?
>>
>> Best regards,
>>
>> Peter
>>
>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> Hi!
>
> I have stopped using roaming profiles a couple of years ago but I do use a
home drive share. The users of the network have a personal share in an smb
share, lets call it \\FILESERVER\USERS\%USERNAME% which in windows is mounted as
the personal home drive (P:) and the documents folder redirects to that drive,
this drive is also made available offline with windows CSC.
>
> I'm using a linux workstation for myself in a network where all the
client workstations are windows and what I have done is to use pam_mount in
combination with pam_winbind and what I do is have pam_mount mount the SMB share
on $HOME/.Documents (the dot is not a typo) and with unison I synchronize
$HOME/.Documents and $HOME/Documents (the lack of the dot is not a typo). Unison
has this folder marked as removable. This way I use my documents folder and it
doesn't matter if I logged in being connected to my work's network or
not and when I am connected to the network I use unison to sync the local copy
of my Documents folder with my remote folder.
>
> Logging in being away from my work's network takes a little longer
because of the timeouts when pam_mount is trying to mount network resources that
are not available but it works great. This setup doesn't cover the shared
profile requirement but I guess that with some tweaking it could be used to
achieve something like that.
>
> Hope it helps.
> Best regards,
> Dave.
>
Hi Dave,

Thanks for you input. I will have a look at it and report back.

Best regards,

Peter

On 14.11.2024 17:24, Peter Milesson via samba wrote:
>
>
>
> On 14.11.2024 16:51, bd730c5053df9efb wrote:
>> On Thursday, November 14th, 2024 at 07:48, Peter Milesson via samba 
>> <samba at lists.samba.org> wrote:
>>
>>>
>>> On 13.11.2024 21:14, Peter Milesson via samba wrote:
>>>
>>>> Hi folks,
>>>>
>>>> I'm figuring to setup a few Linux desktops with LXDM as
display
>>>> manager, and with authentication against a Samba AD DC. After
>>>> successful authentication, I want the authenticated user's
profile to
>>>> be downloaded, or preferably mapped, from a SMB server (Linux,
>>>> Windows, NAS, ...), to the local Linux PC. I intend to use
Debian
>>>> Bookworm, with Archlinux as a secondary alternative (too
bleeding edge
>>>> for my taste, as updates not seldom break the installation).
>>>>
>>>> Essentially I want a similar experience as Windows with
redirected
>>>> folders, or roaming profiles. The intended use is a lightweight
>>>> desktop for occasional users sharing PCs, where full blown
Windows
>>>> desktops are not economically justifiable (hardware and
licensing
>>>> costs).
>>>>
>>>> Previously (many years ago) I made a setup based on NFS, but
that's a
>>>> path I want to avoid, unless there is no other viable
alternative.
>>>> That setup was based on the display manager Slim, which I had
to tweak
>>>> to some extent. As Slim is ancient, and with no development for
ages,
>>>> it's not an option.
>>>>
>>>> I guess the hardest part is setting up LXDM to authenticate
against
>>>> the Samba AD DC. There may be other display managers, that
better suit
>>>> the requirements. I have got little experience with
alternatives, and
>>>> I'm completely open for suggestions.
>>>>
>>>> If somebody have got any experience with something similar, I
would be
>>>> grateful to get some thoughts and ideas.
>>>>
>>>> Best regards,
>>>>
>>>> Peter
>>> Hi folks,
>>>
>>> I did some authentication testing, and it seems that the display 
>>> manager
>>> uses pam_winbind for authentication, as does ssh. So far, so good.
>>>
>>> Now remains the problem of mapping a Samba share as the user's
home
>>> directory.
>>>
>>> Is there somebody having any input on this?
>>>
>>> Best regards,
>>>
>>> Peter
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> Hi!
>>
>> I have stopped using roaming profiles a couple of years ago but I do 
>> use a home drive share. The users of the network have a personal 
>> share in an smb share, lets call it \\FILESERVER\USERS\%USERNAME% 
>> which in windows is mounted as the personal home drive (P:) and the 
>> documents folder redirects to that drive, this drive is also made 
>> available offline with windows CSC.
>>
>> I'm using a linux workstation for myself in a network where all the
>> client workstations are windows and what I have done is to use 
>> pam_mount in combination with pam_winbind and what I do is have 
>> pam_mount mount the SMB share on $HOME/.Documents (the dot is not a 
>> typo) and with unison I synchronize $HOME/.Documents and 
>> $HOME/Documents (the lack of the dot is not a typo). Unison has this 
>> folder marked as removable. This way I use my documents folder and it 
>> doesn't matter if I logged in being connected to my work's
network or
>> not and when I am connected to the network I use unison to sync the 
>> local copy of my Documents folder with my remote folder.
>>
>> Logging in being away from my work's network takes a little longer 
>> because of the timeouts when pam_mount is trying to mount network 
>> resources that are not available but it works great. This setup 
>> doesn't cover the shared profile requirement but I guess that with 
>> some tweaking it could be used to achieve something like that.
>>
>> Hope it helps.
>> Best regards,
>> Dave.
>>
> Hi Dave,
>
> Thanks for you input. I will have a look at it and report back.
>
> Best regards,
>
> Peter
>
>
Hi folks,

YFYI, I've succeeded setting up something that seems workable.

When domain users log in on their Linux PCs, they get their /home/<user> 
folders mapped over CIFS from a Samba or Windows server. When they log 
out, the /home/<user> folder is unmounted and deleted, and their profile 
data remains on the server. The whole setup works similarly to 
redirected folders in a Windows server environment. The setup is 
intended for casual users that don't need a full blown Windows desktop 
with M$ 365 and everything else that follows. There are lots of capable 
desktop applications under Linux, that can replace their Windows 
counterparts, giving the users a nice full value experience. For 
companies using mainly web based applications, it's a dirt cheap 
solution. The hardware is really cheap, and it's a snap to roll out new 
PCs with all basic settings. Using Samba Linux GPOs, it should be about 
the same administrative work for the administrator, as with Windows 
desktop PCs.

The setup is based on Debian Bookworm, the display manager is LightDM, 
and the desktop manager LXDE. Authentication is made with Kerberos to a 
Samba or Windows AD DC through PAM. PAM-mount is taking care of mapping 
the user folders from a share with Linux user profiles. The hardest bit 
was making PAM-mount unmounting and deleting the user folders on the 
Linux PC during the logout process. It needed some tweaking.

Best regards,

Peter