samba - Nov 2024 - Linux desktop setup with authentication against Samba AD DC

On Thu, 28 Nov 2024 17:41:47 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
> 
> This is post no. 2, with technical information of how I set up the
> Linux PCs, and additional information about setting up the server
> shares. It will give the basic outlines to those trying to setup
> something similar, using another Linux distribution. I will not go
> into any detail about setting up the OS, and similar tasks, as it is
> assumed that the interested reader has got the required knowledge.
> 
> 
> *Hardware*
> CPU Gigabyte Brix GB-BRR5-4500 with AMD Ryzen 5 4500U, integrated GPU
> RAM Crucial 8GB DDR4-3200 SoDIMM, 1.2V, CL22
> SSD Patriot P320 PCIe M.2 256GB
> 
> The chosen hardware is more than sufficient for the task at hand, and 
> provides lots of performance to a very modest cost. Added to that,
> small footprint, quiet operations, and low power consumption.
> 
> 
> *Operating system*
> Debian Bookworm with backports (status end of November 2024)
> 
> I chose Debian for this project, as it is a golden middle path, very 
> stable, not too bleeding edge, neither too conservative, and with
> very few "surprises".
> 
> 
> *Setting up*
> I have exclusively used tools in Windows for setting up users in AD 
> (ADUC) and configuring shares (Computer management).
> 
> /Setup users in AD/
> Set up a few users in AD. The naming is irrelevant, use only names
> with ASCII A-Z, a-z, and 0-9 in user names (hint: have a look at MS's
> support pages about accented characters in user names)
> 
> 
> /Setting up a server share (Windows or Samba) for the home
> directories/ *NOTE!* The setup has only been tested with Windows ACLs
> for maximum compatibility between Windows and Linux. The behavior
> with POSIX ACLs is unknown.
> 
> In the following text I will use the following abbreviations:
> 
>     This folder, subfolders, and files - TSF
>     Subfolders and files only - SF
>     This folder only - FO
> 
> - Create the root directory for the home directories
> - Disable inheritance on the root folder
> - Set ownership on the root folder and assign permissions
>  ? - Set ownership to a group or user with administrative access in
> the domain (Domain Admins, Administrator)
>  ? - Everyone (Read & Execute, FO), SERVER\Administrators (Full,
> TSF), SYSTEM (Full, TSF), CREATOR OWNER (Full, SF), Administrator
> (Full, TSF)
> - Create the share in Computer Management, give full share
> permissions to Everyone
> 
> I named the share linuxhomes$, which implies that it will be hidden
> when browsing the server. What you don't see, won't tempt you...
> 
> 
> /Create user home directories on the server/
> - Create a directory with a name corresponding to each user name in
> the share directory
> - Disable inheritance for each user directory
> - Add the to be user to the permission list
> - Set permissions on the user directory according to the following:
>  ? - The user (Full, TSF), SERVER\Administrators (Full, TSF), CREATOR 
> OWNER (Full, SF), SYSTEM (Full, TSF), Administrator (Full, TSF)
> - Set ownership of the user's directory to that of the user
> 
> 
> /Setting up Debian and installing components/
> *Note!* The setup is untested with Samba versions below 4.21.1, YMMV.
> - Make a minimal installation of Debian on the PC, only system
> utilities and sshd at this point
> - Configure hostname and network, check that time synchronization 
> (networkd-timesyncd) works. Caveat: When using DHCP, check that the
> DHCP server DNS point to AD DCs, oteherwise you need to use a static
> IP address on the PC, and set one or more AD DCs as name servers
> - Add debian-backports to sources-list, update and upgrade
> - Install other required packages from debian-backports: sudo, 
> cifs-utils, attr, xattr, acl, cups
> - Make sure there is at least one local sudo user
> - Make sure nscd is not installed, disabling avahi-daemon.service and 
> avahi-daemon.socket may also be a good idea
> - Install the following packages from debian-backports, but exclude 
> samba-ad-dc and samba-ad-provision:
>  ? - krb5-user krb5-config? libldb2 libnss-winbind libpam-winbind 
> libwbclient0 python3-ldb python3-cryptography python3-samba samba 
> samba-common samba-common-bin samba-dsdb-modules samba-libs 
> samba-vfs-modules winbind libpam-krb5 libpam-mount hxtools tdb-tools
> 
> 
> /Setup Samba/
> - Stop winbind, smbd, and nmbd
> - Mask the nmbd service
> - Configure Kerberos
> - Configure /etc/samba/smb.conf
> - Check that nsswitch.conf is OK and contains winbind for passwd and
> group
> 
> 
> /smb.conf example/
> # Global parameters
> [global]
>  ??????? dedicated keytab file = /etc/krb5.keytab
>  ??????? disable netbios = Yes
>  ??????? disable spoolss = Yes
>  ??????? kerberos method = secrets and keytab
>  ??????? printcap name = /dev/null
>  ??????? realm = SAMDOM.EXAMPLE.NET
>  ??????? restrict anonymous = 2
>  ??????? security = ADS
>  ??????? server role = member server
>  ??????? smb ports = 445
>  ??????? template homedir = /home/%U
>  ??????? template shell = /bin/bash
>  ??????? username map = /etc/samba/user.map
>  ? ? ? ? min domain uid = 0
>  ??????? winbind refresh tickets = Yes
>  ??????? winbind use default domain = Yes
>  ??????? workgroup = SAMDOM
>  ??????? idmap config * : backend = tdb
>  ??????? idmap config * : range = 3000-9999
>  ??????? idmap config samdom : backend = rid
>  ??????? idmap config samdom : range = 10000-99999
>  ??????? map acl inherit = Yes
>  ??????? vfs objects = acl_xattr
> 
> 
> //etc/samba/user.map example/
> !root = SAMDOM\Administrator
> 
> 
> /Join the domain (as root, not sudo) and test/
> samba-tool domain join samdom.example.net MEMBER -U administrator
> 
> samba-tool may output a bunch of error messages, but the important 
> message is the last one, that the join was successful.
> 
> Start smbd and winbind
> 
> Run wbinfo --ping-dc, and check that the connection is successful
> 
> 
> /Modify /etc/pam.d/common-session/
> To avoid multiple mounts of the home directory, in case the user's
> home directory is not unmounted after logout, it is necessary to add
> the following line immediately before "session optional
pam_mount.so"
> 
> session [success=1 default=ignore] pam_succeed_if.so service >
systemd-user
> 
> 
> /Setup automatic mounting with pam_mount after successful login/
> Edit the file /etc/security/pam_mount.conf.xml and add the following 
> contents after? <!-- Volume definitions -->:
> 
> <volume user="*"
>  ??????? fstype="cifs"
>  ??????? server="<FQDN of server>"
>  ??????? path="linuxhomes$/%(DOMAIN_USER)"
>  ??????? mountpoint="/home/%(DOMAIN_USER)"
>  ??????? uid="10000-999999"
>
options="nosuid,nodev,sec=krb5i,cruid=%(USERUID),mfsymlinks,nobrl,vers=3.0"
> />
> 
> The parameter uid should contain the same value as "idmap config
> samdom : range = 10000-99999" in /etc/samba/smb.conf". It means
> effectively, that no mounting should be tried for a user outside the
> uid span.
> 
> The following parameter must also be set properly, otherwise the
> user's home directory is not unmounted after logout
> 
> <logout wait="200000" hup="no" term="yes"
kill="yes" />
> 
> If the PC and/or network is slow, it may be necessary to increase the 
> wait value. With a value of 100000 (0.1s), I experienced that the
> user home directory did not get unmounted after logging off.
> 
> 
> /Testing before installing a graphical desktop/
> At this point you can try to login to the console either using a
> classic windows login name (WORKGROUP\user), or UPN:
> 
> SAMDOM\user
> user at samdom.example.net
> 
> - Check that your user directory is under /home
> - Try to create a file, an empty one is OK, check on the server that
> the file is in the user directory.
> - Log out and log in as a local user
> - Check that there is no directory /home/user.
> - If there is, you need to increase the parameter logout wait= in 
> /etc/security/pam_mount.conf.xml. *Note!* The delay is given in 
> microseconds!
> 
> Login with SSH should behave like console login.
> 
> 
> /Setting up the display manager/
> It is important to use a display manager that stores Kerberos
> tickets, if you intend to use other kerberized services. In this
> setup LightDM was used. I tried with LXDM, as it is even more
> lightweight than LightDM, but Kerberos tickets are not stored.
> 
> When using a gvfs-based display manager (like LightDM), it is
> important to modify the behavior of the gvfs-daemon. It is a daemon
> that runs in userland, and in the original setup, it does not pick up
> the Kerberos ticket.
> 
> It is necessary to override this behavior by creating the unit file 
> /etc/systemd/user/gvfs-daemon
> 
> [Unit]
> Description=Virtual filesystem service
> PartOf=graphical-session.target
> 
> [Service]
> Environment="KRB5CCNAME=FILE:/tmp/krb5cc_%U"
> ExecStart=/usr/libexec/gvfsd
> Type=dbus
> BusName=org.gtk.vfs.Daemon
> Slice=session.slice
> 
> 
> /Setting up the graphical desktop/
> The choice of graphical desktop is an individual one. The choice here 
> was LXDE, as it is very light weight and fast. Windows users (at
> least up to Windows 10) should not have any problems to feel at home
> here. You could always argue that the looks are seriously outdated,
> but the intention is fulfilling a purpose: Getting the user to do
> some work. If you miss the 3D-looks and the themes of a modern Disney
> cartoon, I recommend switching to Windows 11.
> 
> You want to start with a basic LXDE desktop, as the complete LXDE
> meta package contains uncountable applications. Additional LXDE
> elements, and required applications can be installed later on. LXDE
> is installed with the following packages:
> 
>  ? - lxde-core lxinput
> 
> The lxinput package enables the user to alter the mouse settings.
> Very handy for left handed persons.
> 
> Confirm that it is possible to login with the display manager as a 
> domain user with a home directory defined. Use either the classic 
> Windows login style?(WORKGRUP\user) or with UPN.
> 
> 
> /Installing required applications/
> One of the final tasks is installation of required applications like
> web browsers, e-mail clients, remote desktop clients, etc. In this
> case, I installed Firefox, Thunderbird, Xpdf, LibreOffice, and
> FreeRDP. Also install specific language packs, if that is required
> (see below about localization).
> 
> 
> /Localization/
> If there are users which require a different user locale, the basic 
> locale definitions should be configured now. Define the wanted
> locales. Edit /etc/locale.gen and uncomment the required locales,
> then run sudo locale-gen. Individual locale setting is described
> below.
> 
> 
> /Configure CUPS and define printers for a limited set of users/
> This is the right moment for defining printers, if there is intention
> of rolling out the image to several PCs with identical setups.
> 
> 
> /Finalizing and saving a master image/
> When the basic setup is working, the disk image can be saved as a
> master for rapid deployment of new devices.
> 
> If you intend to replicate the setup to new PCs, the current machine 
> must first be removed from the domain, otherwise the new PC will
> "steal" the AD registration from a previous PC with the same
setup.
> Remove the PC from the domain with:
> 
> sudo net ads leave -U Administrator
> 
> Power off the PC and boot up a Linux environment containing tools for 
> copying an image of the whole disk.
> 
> I usually boot up an Archlinux installation image on a USB drive, as
> it contains all necessary tools, and transfer the disk image with dd
> over ssh.
> 
> 
> /Individual localization/
> LXDE can be set up for individual locales. This step is a once and
> for all activity, as the settings will be stored in the user's home 
> directory, not on the PC. The setup is preferably made from another 
> Linux PC, by subsequently mounting the home directories share as the 
> Linux PC users, and adding the file described below.
> 
> It is assumed that the necessary locale definitions are configured on 
> all the user PCs.
> 
> Repeat the following for every user that requires an individual
> locale.
> 
> - Mount the Linux user home share on the server as a specific user
> - Create the file .xsessionrc (*Note* lower case) in the user's home 
> directory. The contents are (for example Czech):
> 
> LC_ALL> LANG=cs_CZ.UTF-8
> LANGUAGE=cs_CZ:de:en
> 
> Applications based on gettext uses the LANGUAGE parameter, and in
> this example messages are preferably displayed in Czech, then German,
> and finally English.
> 
> Other LC_ variables can be added according to? your requirements. 
> *Note!* It is considered a bad practice setting the LC_ALL parameter,
> as it overrides everything else.
> 
> Unmount the share and repeat for other users.
> 
> 
> /Setting up a new PC from the master image/
> *NOTE!* This may not work if the BIOS is set to UEFI secure boot. How
> to migrate from standard UEFI boot to secure UEFI boot is beyond the
> scope of this description
> - Boot the new PC with an installation image on a USB drive, that 
> contains a sufficient set of tools.
> - Make sure that the disk in the new PC is sufficiently large for the 
> image, at least the same size as the image
> - Write the image to the PC's disk with the help of dd over SSH
> - Reboot the PC
> - Login as root from the console
> - Change the host name in the hostname and hosts files
> - Check/adjust the file /etc/network/interfaces and make sure the 
> correct network interface names are used
> - Reboot the PC
> - Login as root from the console
> - Stop smbd and winbind
> - Join the PC to the domain (se above)
> - Start smbd and winbind and check the domain connection with wbinfo 
> --ping-dc
> - Logout from root
> - Make a test login as a user with home directory on the server
> - Check that the user profile works
> - Logout the user
> - Login as a local user
> - Check that the home directory for the previously logged in user
> does not exist
> 
> If the previously logged in user with a server home directory has
> left a mounted home directory, it is necessary to increase the logout
> wait time in the file /etc/security/pam_mount.conf.xml.
> - Reboot the PC
> - Login as root or local user with sudo privileges
> - Remove the user directory for the user with a server home directory
> - Increase the value until the user home directory is automatically 
> removed after logout
> 
> 
> *Conclusion*
> After going through the steps above, there is a working PC with a 
> graphical desktop, with authentication based on Kerberos and user 
> profiles stored on a server. The users and PCs are all managed
> through AD, and with addition of administrative templates for Linux
> in AD, GPOs can be used for even more detailed administration.
> 
> If there are many Linux PCs to handle, it is probably a good idea to 
> setup routines for regular updates and maintenance using scripting.
> 
> In case that the users store information with any importance at all, 
> regular backups of the server share should be scheduled.
> 
> I hope you find the concept inspiring, and useful.
> 
> Peter
Hi Peter, that was actually more than what I was expecting, a very
detailed tutorial indeed. 

I wonder if the basic setup could be used with any Linux distro ?
Only one way to find out, try it, so I am off to install LMDE6 in a VM
:-)

Rowland

> Hi Peter, that was actually more than what I was expecting, a very
> detailed tutorial indeed.
>
> I wonder if the basic setup could be used with any Linux distro ?
> Only one way to find out, try it, so I am off to install LMDE6 in a VM
> :-)
>
> Rowland
>
>
Hi Rowland,

I have tried it in a VM also. Works without any problems. I'm going to 
try it in a decommissioned, 7 year old workstation with completely 
different hardware in a few moments.

Good luck,

Peter