samba - Nov 2024 - Linux desktop setup with authentication against Samba AD DC

On 11/25/24 10:29, Rowland Penny via samba wrote:
> On Sun, 24 Nov 2024 20:35:17 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> YFYI, I've succeeded setting up something that seems workable.
>>
>> When domain users log in on their Linux PCs, they get their
>> /home/<user> folders mapped over CIFS from a Samba or Windows
server.
>> When they log out, the /home/<user> folder is unmounted and
deleted,
>> and their profile data remains on the server. The whole setup works
>> similarly to redirected folders in a Windows server environment. The
>> setup is intended for casual users that don't need a full blown
>> Windows desktop with M$ 365 and everything else that follows. There
>> are lots of capable desktop applications under Linux, that can
>> replace their Windows counterparts, giving the users a nice full
>> value experience. For companies using mainly web based applications,
>> it's a dirt cheap solution. The hardware is really cheap, and
it's a
>> snap to roll out new PCs with all basic settings. Using Samba Linux
>> GPOs, it should be about the same administrative work for the
>> administrator, as with Windows desktop PCs.
>>
>> The setup is based on Debian Bookworm, the display manager is
>> LightDM, and the desktop manager LXDE. Authentication is made with
>> Kerberos to a Samba or Windows AD DC through PAM. PAM-mount is taking
>> care of mapping the user folders from a share with Linux user
>> profiles. The hardest bit was making PAM-mount unmounting and
>> deleting the user folders on the Linux PC during the logout process.
>> It needed some tweaking.
>>
>> Best regards,
>>
>> Peter
>>
>>
> Care to tell us how you set this up ?
> Also why LXDE ? Isn't it the DE that sort of refuses to die ?
>  From my understanding LXDE was replaced by LXQt, but, as is possible,
> LXDE was forked and now gets intermittent updates.
>
> Rowland
>
Hi Rowland,

Of course I will share my experiences with the community. I will put it 
in a separate post (or posts), as it may be fairly extensive.

Best regards,

Peter

Mandi! Peter Milesson via samba
  In chel di` si favelave...
> Of course I will share my experiences with the community. I will put it 
> in a separate post (or posts), as it may be fairly extensive.
Sorry for the late answer. I confirm that i use pam_winbind for
authentication (and password managemet: password can expired and changed by
users as happen in windows).

Also i can confirm that NFS is a bit too problematic nowadays, so i use CIFS
via pam_mount.

Because i mount 'windows home' as 'unix home' (~), in the past
i've had some
trouble with some app/desktop mamagement for things like locks and special
files. Seems better now...

--

Hi folks,

This is post no. 2, with technical information of how I set up the Linux 
PCs, and additional information about setting up the server shares. It 
will give the basic outlines to those trying to setup something similar, 
using another Linux distribution. I will not go into any detail about 
setting up the OS, and similar tasks, as it is assumed that the 
interested reader has got the required knowledge.


*Hardware*
CPU Gigabyte Brix GB-BRR5-4500 with AMD Ryzen 5 4500U, integrated GPU
RAM Crucial 8GB DDR4-3200 SoDIMM, 1.2V, CL22
SSD Patriot P320 PCIe M.2 256GB

The chosen hardware is more than sufficient for the task at hand, and 
provides lots of performance to a very modest cost. Added to that, small 
footprint, quiet operations, and low power consumption.


*Operating system*
Debian Bookworm with backports (status end of November 2024)

I chose Debian for this project, as it is a golden middle path, very 
stable, not too bleeding edge, neither too conservative, and with very 
few "surprises".


*Setting up*
I have exclusively used tools in Windows for setting up users in AD 
(ADUC) and configuring shares (Computer management).

/Setup users in AD/
Set up a few users in AD. The naming is irrelevant, use only names with 
ASCII A-Z, a-z, and 0-9 in user names (hint: have a look at MS's support 
pages about accented characters in user names)


/Setting up a server share (Windows or Samba) for the home directories/
*NOTE!* The setup has only been tested with Windows ACLs for maximum 
compatibility between Windows and Linux. The behavior with POSIX ACLs is 
unknown.

In the following text I will use the following abbreviations:

    This folder, subfolders, and files - TSF
    Subfolders and files only - SF
    This folder only - FO

- Create the root directory for the home directories
- Disable inheritance on the root folder
- Set ownership on the root folder and assign permissions
 ? - Set ownership to a group or user with administrative access in the 
domain (Domain Admins, Administrator)
 ? - Everyone (Read & Execute, FO), SERVER\Administrators (Full, TSF), 
SYSTEM (Full, TSF), CREATOR OWNER (Full, SF), Administrator (Full, TSF)
- Create the share in Computer Management, give full share permissions 
to Everyone

I named the share linuxhomes$, which implies that it will be hidden when 
browsing the server. What you don't see, won't tempt you...


/Create user home directories on the server/
- Create a directory with a name corresponding to each user name in the 
share directory
- Disable inheritance for each user directory
- Add the to be user to the permission list
- Set permissions on the user directory according to the following:
 ? - The user (Full, TSF), SERVER\Administrators (Full, TSF), CREATOR 
OWNER (Full, SF), SYSTEM (Full, TSF), Administrator (Full, TSF)
- Set ownership of the user's directory to that of the user


/Setting up Debian and installing components/
*Note!* The setup is untested with Samba versions below 4.21.1, YMMV.
- Make a minimal installation of Debian on the PC, only system utilities 
and sshd at this point
- Configure hostname and network, check that time synchronization 
(networkd-timesyncd) works. Caveat: When using DHCP, check that the DHCP 
server DNS point to AD DCs, oteherwise you need to use a static IP 
address on the PC, and set one or more AD DCs as name servers
- Add debian-backports to sources-list, update and upgrade
- Install other required packages from debian-backports: sudo, 
cifs-utils, attr, xattr, acl, cups
- Make sure there is at least one local sudo user
- Make sure nscd is not installed, disabling avahi-daemon.service and 
avahi-daemon.socket may also be a good idea
- Install the following packages from debian-backports, but exclude 
samba-ad-dc and samba-ad-provision:
 ? - krb5-user krb5-config? libldb2 libnss-winbind libpam-winbind 
libwbclient0 python3-ldb python3-cryptography python3-samba samba 
samba-common samba-common-bin samba-dsdb-modules samba-libs 
samba-vfs-modules winbind libpam-krb5 libpam-mount hxtools tdb-tools


/Setup Samba/
- Stop winbind, smbd, and nmbd
- Mask the nmbd service
- Configure Kerberos
- Configure /etc/samba/smb.conf
- Check that nsswitch.conf is OK and contains winbind for passwd and group


/smb.conf example/
# Global parameters
[global]
 ??????? dedicated keytab file = /etc/krb5.keytab
 ??????? disable netbios = Yes
 ??????? disable spoolss = Yes
 ??????? kerberos method = secrets and keytab
 ??????? printcap name = /dev/null
 ??????? realm = SAMDOM.EXAMPLE.NET
 ??????? restrict anonymous = 2
 ??????? security = ADS
 ??????? server role = member server
 ??????? smb ports = 445
 ??????? template homedir = /home/%U
 ??????? template shell = /bin/bash
 ??????? username map = /etc/samba/user.map
 ? ? ? ? min domain uid = 0
 ??????? winbind refresh tickets = Yes
 ??????? winbind use default domain = Yes
 ??????? workgroup = SAMDOM
 ??????? idmap config * : backend = tdb
 ??????? idmap config * : range = 3000-9999
 ??????? idmap config samdom : backend = rid
 ??????? idmap config samdom : range = 10000-99999
 ??????? map acl inherit = Yes
 ??????? vfs objects = acl_xattr


//etc/samba/user.map example/
!root = SAMDOM\Administrator


/Join the domain (as root, not sudo) and test/
samba-tool domain join samdom.example.net MEMBER -U administrator

samba-tool may output a bunch of error messages, but the important 
message is the last one, that the join was successful.

Start smbd and winbind

Run wbinfo --ping-dc, and check that the connection is successful


/Modify /etc/pam.d/common-session/
To avoid multiple mounts of the home directory, in case the user's home 
directory is not unmounted after logout, it is necessary to add the 
following line immediately before "session optional pam_mount.so"

session [success=1 default=ignore] pam_succeed_if.so service = systemd-user


/Setup automatic mounting with pam_mount after successful login/
Edit the file /etc/security/pam_mount.conf.xml and add the following 
contents after? <!-- Volume definitions -->:

<volume user="*"
 ??????? fstype="cifs"
 ??????? server="<FQDN of server>"
 ??????? path="linuxhomes$/%(DOMAIN_USER)"
 ??????? mountpoint="/home/%(DOMAIN_USER)"
 ??????? uid="10000-999999"
options="nosuid,nodev,sec=krb5i,cruid=%(USERUID),mfsymlinks,nobrl,vers=3.0"
/>

The parameter uid should contain the same value as "idmap config samdom 
: range = 10000-99999" in /etc/samba/smb.conf". It means effectively, 
that no mounting should be tried for a user outside the uid span.

The following parameter must also be set properly, otherwise the user's 
home directory is not unmounted after logout

<logout wait="200000" hup="no" term="yes"
kill="yes" />

If the PC and/or network is slow, it may be necessary to increase the 
wait value. With a value of 100000 (0.1s), I experienced that the user 
home directory did not get unmounted after logging off.


/Testing before installing a graphical desktop/
At this point you can try to login to the console either using a classic 
windows login name (WORKGROUP\user), or UPN:

SAMDOM\user
user at samdom.example.net

- Check that your user directory is under /home
- Try to create a file, an empty one is OK, check on the server that the 
file is in the user directory.
- Log out and log in as a local user
- Check that there is no directory /home/user.
- If there is, you need to increase the parameter logout wait= in 
/etc/security/pam_mount.conf.xml. *Note!* The delay is given in 
microseconds!

Login with SSH should behave like console login.


/Setting up the display manager/
It is important to use a display manager that stores Kerberos tickets, 
if you intend to use other kerberized services. In this setup LightDM 
was used. I tried with LXDM, as it is even more lightweight than 
LightDM, but Kerberos tickets are not stored.

When using a gvfs-based display manager (like LightDM), it is important 
to modify the behavior of the gvfs-daemon. It is a daemon that runs in 
userland, and in the original setup, it does not pick up the Kerberos 
ticket.

It is necessary to override this behavior by creating the unit file 
/etc/systemd/user/gvfs-daemon

[Unit]
Description=Virtual filesystem service
PartOf=graphical-session.target

[Service]
Environment="KRB5CCNAME=FILE:/tmp/krb5cc_%U"
ExecStart=/usr/libexec/gvfsd
Type=dbus
BusName=org.gtk.vfs.Daemon
Slice=session.slice


/Setting up the graphical desktop/
The choice of graphical desktop is an individual one. The choice here 
was LXDE, as it is very light weight and fast. Windows users (at least 
up to Windows 10) should not have any problems to feel at home here. You 
could always argue that the looks are seriously outdated, but the 
intention is fulfilling a purpose: Getting the user to do some work. If 
you miss the 3D-looks and the themes of a modern Disney cartoon, I 
recommend switching to Windows 11.

You want to start with a basic LXDE desktop, as the complete LXDE meta 
package contains uncountable applications. Additional LXDE elements, and 
required applications can be installed later on. LXDE is installed with 
the following packages:

 ? - lxde-core lxinput

The lxinput package enables the user to alter the mouse settings. Very 
handy for left handed persons.

Confirm that it is possible to login with the display manager as a 
domain user with a home directory defined. Use either the classic 
Windows login style?(WORKGRUP\user) or with UPN.


/Installing required applications/
One of the final tasks is installation of required applications like web 
browsers, e-mail clients, remote desktop clients, etc. In this case, I 
installed Firefox, Thunderbird, Xpdf, LibreOffice, and FreeRDP. Also 
install specific language packs, if that is required (see below about 
localization).


/Localization/
If there are users which require a different user locale, the basic 
locale definitions should be configured now. Define the wanted locales. 
Edit /etc/locale.gen and uncomment the required locales, then run sudo 
locale-gen. Individual locale setting is described below.


/Configure CUPS and define printers for a limited set of users/
This is the right moment for defining printers, if there is intention of 
rolling out the image to several PCs with identical setups.


/Finalizing and saving a master image/
When the basic setup is working, the disk image can be saved as a master 
for rapid deployment of new devices.

If you intend to replicate the setup to new PCs, the current machine 
must first be removed from the domain, otherwise the new PC will
"steal"
the AD registration from a previous PC with the same setup. Remove the 
PC from the domain with:

sudo net ads leave -U Administrator

Power off the PC and boot up a Linux environment containing tools for 
copying an image of the whole disk.

I usually boot up an Archlinux installation image on a USB drive, as it 
contains all necessary tools, and transfer the disk image with dd over ssh.


/Individual localization/
LXDE can be set up for individual locales. This step is a once and for 
all activity, as the settings will be stored in the user's home 
directory, not on the PC. The setup is preferably made from another 
Linux PC, by subsequently mounting the home directories share as the 
Linux PC users, and adding the file described below.

It is assumed that the necessary locale definitions are configured on 
all the user PCs.

Repeat the following for every user that requires an individual locale.

- Mount the Linux user home share on the server as a specific user
- Create the file .xsessionrc (*Note* lower case) in the user's home 
directory. The contents are (for example Czech):

LC_ALLLANG=cs_CZ.UTF-8
LANGUAGE=cs_CZ:de:en

Applications based on gettext uses the LANGUAGE parameter, and in this 
example messages are preferably displayed in Czech, then German, and 
finally English.

Other LC_ variables can be added according to? your requirements. 
*Note!* It is considered a bad practice setting the LC_ALL parameter, as 
it overrides everything else.

Unmount the share and repeat for other users.


/Setting up a new PC from the master image/
*NOTE!* This may not work if the BIOS is set to UEFI secure boot. How to 
migrate from standard UEFI boot to secure UEFI boot is beyond the scope 
of this description
- Boot the new PC with an installation image on a USB drive, that 
contains a sufficient set of tools.
- Make sure that the disk in the new PC is sufficiently large for the 
image, at least the same size as the image
- Write the image to the PC's disk with the help of dd over SSH
- Reboot the PC
- Login as root from the console
- Change the host name in the hostname and hosts files
- Check/adjust the file /etc/network/interfaces and make sure the 
correct network interface names are used
- Reboot the PC
- Login as root from the console
- Stop smbd and winbind
- Join the PC to the domain (se above)
- Start smbd and winbind and check the domain connection with wbinfo 
--ping-dc
- Logout from root
- Make a test login as a user with home directory on the server
- Check that the user profile works
- Logout the user
- Login as a local user
- Check that the home directory for the previously logged in user does 
not exist

If the previously logged in user with a server home directory has left a 
mounted home directory, it is necessary to increase the logout wait time 
in the file /etc/security/pam_mount.conf.xml.
- Reboot the PC
- Login as root or local user with sudo privileges
- Remove the user directory for the user with a server home directory
- Increase the value until the user home directory is automatically 
removed after logout


*Conclusion*
After going through the steps above, there is a working PC with a 
graphical desktop, with authentication based on Kerberos and user 
profiles stored on a server. The users and PCs are all managed through 
AD, and with addition of administrative templates for Linux in AD, GPOs 
can be used for even more detailed administration.

If there are many Linux PCs to handle, it is probably a good idea to 
setup routines for regular updates and maintenance using scripting.

In case that the users store information with any importance at all, 
regular backups of the server share should be scheduled.

I hope you find the concept inspiring, and useful.

Peter