samba - Nov 2024 - Linux desktop setup with authentication against Samba AD DC

On 11/29/24 20:07, Rowland Penny via samba wrote:
> On Fri, 29 Nov 2024 12:07:45 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>> Hi Peter, that was actually more than what I was expecting, a very
>>> detailed tutorial indeed.
>>>
>>> I wonder if the basic setup could be used with any Linux distro ?
>>> Only one way to find out, try it, so I am off to install LMDE6 in a
>>> VM :-)
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland,
>>
>> I have tried it in a VM also. Works without any problems. I'm going
>> to try it in a decommissioned, 7 year old workstation with completely
>> different hardware in a few moments.
>>
>> Good luck,
>>
>> Peter
>>
> OK, I have got it work with an LMDE6 install, but not with Peter's
> 'volume' pam_mount.conf.xml setting, I had to use:
>
> <volume fstype="cifs"
>          server="cm4nas.samdom.example.com"
>          path="users"
>          mountpoint="/home/SAMDOM/%(USER)"
>          options="user=%(USER),cruid=%(USER),sec=krb5"
> />
>
> Rowland
>
>
>
Hi Rowland,

As I stated in my (maybe too voluminous) description, the setup may not 
be applicable to other distributions out of the box, which I naturally 
did not expect. I have been using completely up to date Debian Bookworm 
setups, and everything I made has been reproducible (physical PC, VM, 
Windows server, Samba server).

I got stuck with %{USER}, and then studied the Ubuntu man pages of 
libpam-mount in great detail. I sifted through lots of pages about 
pam_mount, and it seems that the options "nosuid,nodev" are more or
less
mandatory. The "mfsymlinks,nobrl,vers=3.0" also seem to be important. 
Are you using /home/SAMDOM/%D/%U? as template homedir in your smb.conf?

If there are different interpretations of the %{USER} and %{DOMAIN_USER 
} parameters between different distributions, that would be really bad. 
But it wouldn't surprise me.

I'm going to try it out with a PC running Archlinux. Archlinux is 
sometimes deviating in quite unexpected (and incomprehensible) 
directions, which could make it a challenge. Personally, I like 
Archlinux for mostly being in the absolute fore front line of Linux 
development, but if I put on my sysadmin hat, it's a walk through a mine 
field.

Anyway, it's nice to get to know that you took interest, and that you 
confirmed the viability of the concept in a completely independent domain.

I wish you a nice weekend.

Peter

On Fri, 29 Nov 2024 20:50:21 +0100
Peter Milesson <miles at atmos.eu> wrote:
> 
> On 11/29/24 20:07, Rowland Penny via samba wrote:
> > On Fri, 29 Nov 2024 12:07:45 +0100
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>> Hi Peter, that was actually more than what I was expecting, a
very
> >>> detailed tutorial indeed.
> >>>
> >>> I wonder if the basic setup could be used with any Linux
distro ?
> >>> Only one way to find out, try it, so I am off to install LMDE6
in
> >>> a VM :-)
> >>>
> >>> Rowland
> >>>
> >>>
> >> Hi Rowland,
> >>
> >> I have tried it in a VM also. Works without any problems. I'm
going
> >> to try it in a decommissioned, 7 year old workstation with
> >> completely different hardware in a few moments.
> >>
> >> Good luck,
> >>
> >> Peter
> >>
> > OK, I have got it work with an LMDE6 install, but not with Peter's
> > 'volume' pam_mount.conf.xml setting, I had to use:
> >
> > <volume fstype="cifs"
> >          server="cm4nas.samdom.example.com"
> >          path="users"
> >          mountpoint="/home/SAMDOM/%(USER)"
> >          options="user=%(USER),cruid=%(USER),sec=krb5"
> > />
> >
> > Rowland
> >
> >
> >
> Hi Rowland,
> 
> As I stated in my (maybe too voluminous) description, the setup may
> not be applicable to other distributions out of the box, which I
> naturally did not expect. I have been using completely up to date
> Debian Bookworm setups, and everything I made has been reproducible
> (physical PC, VM, Windows server, Samba server).
From my understanding, LMDE6 is basically Debian 12 with the Cinnamon
desktop slapped on top of it, a bit like the Raspberry pi OS. This is
one reason I used it.
> 
> I got stuck with %{USER}, and then studied the Ubuntu man pages of 
> libpam-mount in great detail. I sifted through lots of pages about 
> pam_mount, and it seems that the options "nosuid,nodev" are more
or
> less mandatory. The "mfsymlinks,nobrl,vers=3.0" also seem to be
> important. Are you using /home/SAMDOM/%D/%U? as template homedir in
> your smb.conf?
I used your 'volume' setup verbatim but it didn't work for me, so I
tried one I had used previously and it worked.

This is the users directory on the 'NAS' (in reality, an rpi CM4
running bookworm) before the mount on the client:

adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
total 8
drwx------ 2 rowland root 4096 Nov 29 16:33 .
drwxr-xr-x 4 root    root 4096 Nov 23 14:35 ..

and this it again after the mount:

adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/
total 284
drwx------  14 rowland root           4096 Nov 29 17:27 .
drwxr-xr-x   4 root    root           4096 Nov 23 14:35 ..
drwxrwxr-x+  7 rowland domain users   4096 Nov 29 17:27 .cache
drwxrwxr-x+ 12 rowland domain users   4096 Nov 29 17:26 .config
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Desktop
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Documents
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Downloads
drwxrwxr-x+  3 rowland domain users   4096 Nov 29 17:27 .linuxmint
drwxrwxr-x+  4 rowland domain users   4096 Nov 29 17:26 .local
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Music
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Pictures
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Public
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Templates
drwxrwxr-x+  2 rowland domain users   4096 Nov 29 17:26 Videos
-rwxrwxr-x+  1 rowland domain users     53 Nov 29 17:26 .Xauthority
-rwxrwxr-x+  1 rowland domain users 171747 Nov 29 17:27 .xsession-errors
> 
> If there are different interpretations of the %{USER} and
> %{DOMAIN_USER } parameters between different distributions, that
> would be really bad. But it wouldn't surprise me.
I think the difference is that '%(USER)' is 'rowland' and
'%(DOMAIN_USER)' is 'SAMDOM\rowland'
> 
> I'm going to try it out with a PC running Archlinux. Archlinux is 
> sometimes deviating in quite unexpected (and incomprehensible) 
> directions, which could make it a challenge. Personally, I like 
> Archlinux for mostly being in the absolute fore front line of Linux 
> development, but if I put on my sysadmin hat, it's a walk through a
> mine field.
I think that getting it to work on Arch will be interesting, but I am
not a fan of Arch, such a good distro, but not the easiest to install.
> 
> Anyway, it's nice to get to know that you took interest, and that you 
> confirmed the viability of the concept in a completely independent
> domain.
I tried to get something like this to work a couple of years ago and
couldn't, the directory wouldn't mount on /home, but I did come up with
a setup that mounted the directory into /srv and rsynced the two, a bit
of a kludge to be honest, you got there and pointed the way ;-)
 
> 
> I wish you a nice weekend.
>
At my age, every weekend is a good one.

Rowland