Peter Milesson
2024-Nov-30 16:14 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
On 29.11.2024 21:40, Rowland Penny via samba wrote:> On Fri, 29 Nov 2024 20:50:21 +0100 > Peter Milesson <miles at atmos.eu> wrote: > >> On 11/29/24 20:07, Rowland Penny via samba wrote: >>> On Fri, 29 Nov 2024 12:07:45 +0100 >>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>> >>>>> Hi Peter, that was actually more than what I was expecting, a very >>>>> detailed tutorial indeed. >>>>> >>>>> I wonder if the basic setup could be used with any Linux distro ? >>>>> Only one way to find out, try it, so I am off to install LMDE6 in >>>>> a VM :-) >>>>> >>>>> Rowland >>>>> >>>>> >>>> Hi Rowland, >>>> >>>> I have tried it in a VM also. Works without any problems. I'm going >>>> to try it in a decommissioned, 7 year old workstation with >>>> completely different hardware in a few moments. >>>> >>>> Good luck, >>>> >>>> Peter >>>> >>> OK, I have got it work with an LMDE6 install, but not with Peter's >>> 'volume' pam_mount.conf.xml setting, I had to use: >>> >>> <volume fstype="cifs" >>> server="cm4nas.samdom.example.com" >>> path="users" >>> mountpoint="/home/SAMDOM/%(USER)" >>> options="user=%(USER),cruid=%(USER),sec=krb5" >>> /> >>> >>> Rowland >>> >>> >>> >> Hi Rowland, >> >> As I stated in my (maybe too voluminous) description, the setup may >> not be applicable to other distributions out of the box, which I >> naturally did not expect. I have been using completely up to date >> Debian Bookworm setups, and everything I made has been reproducible >> (physical PC, VM, Windows server, Samba server). > From my understanding, LMDE6 is basically Debian 12 with the Cinnamon > desktop slapped on top of it, a bit like the Raspberry pi OS. This is > one reason I used it. > >> I got stuck with %{USER}, and then studied the Ubuntu man pages of >> libpam-mount in great detail. I sifted through lots of pages about >> pam_mount, and it seems that the options "nosuid,nodev" are more or >> less mandatory. The "mfsymlinks,nobrl,vers=3.0" also seem to be >> important. Are you using /home/SAMDOM/%D/%U? as template homedir in >> your smb.conf? > I used your 'volume' setup verbatim but it didn't work for me, so I > tried one I had used previously and it worked. > > This is the users directory on the 'NAS' (in reality, an rpi CM4 > running bookworm) before the mount on the client: > > adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/ > total 8 > drwx------ 2 rowland root 4096 Nov 29 16:33 . > drwxr-xr-x 4 root root 4096 Nov 23 14:35 .. > > and this it again after the mount: > > adminuser at cm4nas:~ $ sudo ls -la /home/SAMDOM/users/rowland/ > total 284 > drwx------ 14 rowland root 4096 Nov 29 17:27 . > drwxr-xr-x 4 root root 4096 Nov 23 14:35 .. > drwxrwxr-x+ 7 rowland domain users 4096 Nov 29 17:27 .cache > drwxrwxr-x+ 12 rowland domain users 4096 Nov 29 17:26 .config > drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Desktop > drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Documents > drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Downloads > drwxrwxr-x+ 3 rowland domain users 4096 Nov 29 17:27 .linuxmint > drwxrwxr-x+ 4 rowland domain users 4096 Nov 29 17:26 .local > drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Music > drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Pictures > drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Public > drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Templates > drwxrwxr-x+ 2 rowland domain users 4096 Nov 29 17:26 Videos > -rwxrwxr-x+ 1 rowland domain users 53 Nov 29 17:26 .Xauthority > -rwxrwxr-x+ 1 rowland domain users 171747 Nov 29 17:27 .xsession-errors > >> If there are different interpretations of the %{USER} and >> %{DOMAIN_USER } parameters between different distributions, that >> would be really bad. But it wouldn't surprise me. > I think the difference is that '%(USER)' is 'rowland' and > '%(DOMAIN_USER)' is 'SAMDOM\rowland' > >> I'm going to try it out with a PC running Archlinux. Archlinux is >> sometimes deviating in quite unexpected (and incomprehensible) >> directions, which could make it a challenge. Personally, I like >> Archlinux for mostly being in the absolute fore front line of Linux >> development, but if I put on my sysadmin hat, it's a walk through a >> mine field. > I think that getting it to work on Arch will be interesting, but I am > not a fan of Arch, such a good distro, but not the easiest to install. > >> Anyway, it's nice to get to know that you took interest, and that you >> confirmed the viability of the concept in a completely independent >> domain. > I tried to get something like this to work a couple of years ago and > couldn't, the directory wouldn't mount on /home, but I did come up with > a setup that mounted the directory into /srv and rsynced the two, a bit > of a kludge to be honest, you got there and pointed the way ;-) > >> I wish you a nice weekend. >> > At my age, every weekend is a good one. > > Rowland > >Hi Rowland, I got it working under Archlinux also. Most of the work was looking up how to configure PAM with the pam_winbind and pam_krb5 modules. Not very well documented. There is a Wiki page about setting up AD integration, but it would imply moving the Kerberos cache file, which would break everything dependent on Kerberos tickets. Best regards, Peter
Rowland Penny
2024-Nov-30 16:26 UTC
[Samba] Linux desktop setup with authentication against Samba AD DC
On Sat, 30 Nov 2024 17:14:24 +0100 Peter Milesson via samba <samba at lists.samba.org> wrote:> Hi Rowland, > > I got it working under Archlinux also. Most of the work was looking > up how to configure PAM with the pam_winbind and pam_krb5 modules. > Not very well documented.If by 'pam_krb5' you are referring to libpam-krb5, you do not require it, winbind will do it for you.> > There is a Wiki page about setting up AD integration, but it would > imply moving the Kerberos cache file, which would break everything > dependent on Kerberos tickets.Which wiki page is this ? Rowland
Reasonably Related Threads
- Linux desktop setup with authentication against Samba AD DC
- Linux desktop setup with authentication against Samba AD DC
- Linux desktop setup with authentication against Samba AD DC
- Linux desktop setup with authentication against Samba AD DC
- Linux desktop setup with authentication against Samba AD DC