samba - Dec 2024 - Linux desktop setup with authentication against Samba AD DC

On 03.12.2024 17:22, Rowland Penny via samba wrote:
> On Mon, 2 Dec 2024 10:29:22 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>>> Peter
>>> So, it works with Gnome.
>>> It appears that, provided all the required packages can be
>>> installed, it will probably work on any distro, I cannot test them
>>> all ;-)
>>>
>>> Rowland
>>>
>>>
>>>
>> Oh, c'mon Rowland (^_^)
>>
>> I'm going to start duplicating from a master image. Let's see
what
>> surprises I get from UEFI...
>>
>> Peter
> I looked into Rocky Linux a bit further and found a repo for hxtools
> and set pam_mount up on Rocky and it works, just like on Debian.
>
> To date, I have working examples on Debian Gnome, XCFE and MATE.
> However the MATE version has problems with the panels, they keep
> segfaulting but the user gets logged in and the home directory share is
> mounted, so it looks like pam-mount is working. I have also have
> working examples on LMDE6 with the Cinnamon desktop and on Rocky Linux
> 9 with the Gnome desktop.
>
> It appears that you just need 3 things:
>
> A Samba AD DC to create users on.
>
> A Samba Unix domain member to share the users home directory from.
>
> A Samba Unix domain member to act as the client, with pam_mount,
> hxtools and cifs-utils installed and configured correctly.
>
> The only real downside I can see is, because of the various different
> configuration files that the different desktops use, it is very
> probably limited to one desktop per domain.
>
> Rowland
>
>
Hi Rowland,

You can add Archlinux also.

I'm not really sure what you mean by one desktop per domain.

Let's say you configure user home directories for a large group of users.

Then you can create one master with LXDE on Debian, another master Gnome 
on Archlinux, another master with Fluxbox on Rocky Linux ...

There are no centrally stored machine profiles. There are only user 
profiles stored on a common server. When the user logs on for the first 
time, the profile is created with all folders and default settings, 
according to what's defined in the distribution's defaults. Let's
say
PCs with different distributions are not mixed between different 
locations, then I don't really see any problems. If OTOH there's a mix 
of PCs with different distributions available on one site, then you 
probably hit a brick wall with incompatibilities. Then the concept is 
not viable without extensive administration.

My intention was setting up one type of PC with a specific Linux 
distribution, with a specific desktop. If you're the modern sort of 
sysadmin, you could let the users have vote on it first. But when the 
decision is made, it must be set in concrete.

Administration must be dead simple, deploying new PCs in a snap, 
otherwise the whole concept defeats its purpose, and you could as well 
jump onto the Azure bandwagon. This concept is probably best suited for 
limited work groups with common requirements.

For those deploying many Linux PCs, it's probably useful to set up some 
kind of central management for updates, and other tasks. But that's 
another beast.

Best regards,

Peter

On Tue, 3 Dec 2024 18:59:59 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
> 
> 
> On 03.12.2024 17:22, Rowland Penny via samba wrote:
> > On Mon, 2 Dec 2024 10:29:22 +0100
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>>> Peter
> >>> So, it works with Gnome.
> >>> It appears that, provided all the required packages can be
> >>> installed, it will probably work on any distro, I cannot test
them
> >>> all ;-)
> >>>
> >>> Rowland
> >>>
> >>>
> >>>
> >> Oh, c'mon Rowland (^_^)
> >>
> >> I'm going to start duplicating from a master image. Let's
see what
> >> surprises I get from UEFI...
> >>
> >> Peter
> > I looked into Rocky Linux a bit further and found a repo for hxtools
> > and set pam_mount up on Rocky and it works, just like on Debian.
> >
> > To date, I have working examples on Debian Gnome, XCFE and MATE.
> > However the MATE version has problems with the panels, they keep
> > segfaulting but the user gets logged in and the home directory
> > share is mounted, so it looks like pam-mount is working. I have
> > also have working examples on LMDE6 with the Cinnamon desktop and
> > on Rocky Linux 9 with the Gnome desktop.
> >
> > It appears that you just need 3 things:
> >
> > A Samba AD DC to create users on.
> >
> > A Samba Unix domain member to share the users home directory from.
> >
> > A Samba Unix domain member to act as the client, with pam_mount,
> > hxtools and cifs-utils installed and configured correctly.
> >
> > The only real downside I can see is, because of the various
> > different configuration files that the different desktops use, it
> > is very probably limited to one desktop per domain.
> >
> > Rowland
> >
> >
> Hi Rowland,
> 
> You can add Archlinux also.
> 
> I'm not really sure what you mean by one desktop per domain.
> 
> Let's say you configure user home directories for a large group of
> users.
> 
> Then you can create one master with LXDE on Debian, another master
> Gnome on Archlinux, another master with Fluxbox on Rocky Linux ...
> 
> There are no centrally stored machine profiles. There are only user 
> profiles stored on a common server. When the user logs on for the
> first time, the profile is created with all folders and default
> settings, according to what's defined in the distribution's
defaults.
> Let's say PCs with different distributions are not mixed between
> different locations, then I don't really see any problems. If OTOH
> there's a mix of PCs with different distributions available on one
> site, then you probably hit a brick wall with incompatibilities. Then
> the concept is not viable without extensive administration.
> 
> My intention was setting up one type of PC with a specific Linux 
> distribution, with a specific desktop. If you're the modern sort of 
> sysadmin, you could let the users have vote on it first. But when the 
> decision is made, it must be set in concrete.
> 
> Administration must be dead simple, deploying new PCs in a snap, 
> otherwise the whole concept defeats its purpose, and you could as
> well jump onto the Azure bandwagon. This concept is probably best
> suited for limited work groups with common requirements.
> 
> For those deploying many Linux PCs, it's probably useful to set up
> some kind of central management for updates, and other tasks. But
> that's another beast.
> 
> Best regards,
> 
> Peter
What I was referring to, and what I have tested, is a Unix user mounting
their home directory from another Unix domain member. This should mean
that the user should be able to log into any Unix domain member and get
their home directory. However this does mean that the clients would all
have to run the same Desktop, I haven't tested using Gnome on one
client, logging out and then logging into another client using XFCE (for
instance) as the same user, I feel this is likely to be a recipe for
disaster.

Rowland

On Tue, 3 Dec 2024 18:59:59 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
> 
> 
> On 03.12.2024 17:22, Rowland Penny via samba wrote:
> > On Mon, 2 Dec 2024 10:29:22 +0100
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>>> Peter
> >>> So, it works with Gnome.
> >>> It appears that, provided all the required packages can be
> >>> installed, it will probably work on any distro, I cannot test
them
> >>> all ;-)
> >>>
> >>> Rowland
> >>>
> >>>
> >>>
> >> Oh, c'mon Rowland (^_^)
> >>
> >> I'm going to start duplicating from a master image. Let's
see what
> >> surprises I get from UEFI...
> >>
> >> Peter
> > I looked into Rocky Linux a bit further and found a repo for hxtools
> > and set pam_mount up on Rocky and it works, just like on Debian.
> >
> > To date, I have working examples on Debian Gnome, XCFE and MATE.
> > However the MATE version has problems with the panels, they keep
> > segfaulting but the user gets logged in and the home directory
> > share is mounted, so it looks like pam-mount is working. I have
> > also have working examples on LMDE6 with the Cinnamon desktop and
> > on Rocky Linux 9 with the Gnome desktop.
> >
> > It appears that you just need 3 things:
> >
> > A Samba AD DC to create users on.
> >
> > A Samba Unix domain member to share the users home directory from.
> >
> > A Samba Unix domain member to act as the client, with pam_mount,
> > hxtools and cifs-utils installed and configured correctly.
> >
> > The only real downside I can see is, because of the various
> > different configuration files that the different desktops use, it
> > is very probably limited to one desktop per domain.
> >
> > Rowland
> >
> >
> Hi Rowland,
> 
> You can add Archlinux also.
> 
> I'm not really sure what you mean by one desktop per domain.
> 
> Let's say you configure user home directories for a large group of
> users.
> 
> Then you can create one master with LXDE on Debian, another master
> Gnome on Archlinux, another master with Fluxbox on Rocky Linux ...
> 
> There are no centrally stored machine profiles. There are only user 
> profiles stored on a common server. When the user logs on for the
> first time, the profile is created with all folders and default
> settings, according to what's defined in the distribution's
defaults.
> Let's say PCs with different distributions are not mixed between
> different locations, then I don't really see any problems. If OTOH
> there's a mix of PCs with different distributions available on one
> site, then you probably hit a brick wall with incompatibilities. Then
> the concept is not viable without extensive administration.
> 
> My intention was setting up one type of PC with a specific Linux 
> distribution, with a specific desktop. If you're the modern sort of 
> sysadmin, you could let the users have vote on it first. But when the 
> decision is made, it must be set in concrete.
> 
> Administration must be dead simple, deploying new PCs in a snap, 
> otherwise the whole concept defeats its purpose, and you could as
> well jump onto the Azure bandwagon. This concept is probably best
> suited for limited work groups with common requirements.
> 
> For those deploying many Linux PCs, it's probably useful to set up
> some kind of central management for updates, and other tasks. But
> that's another beast.
> 
> Best regards,
> 
> Peter
> 
> 
> 
Ah, I think I understand what you are describing and to put it in
Windows terms, you are using something like a mandatory profile.

To me, it looks like you appear to be creating your own distro and
installing it on the clients, then the user logs into the client and the
users home directory is mounted from another Samba fileserver.

Now, I do not know whether you are creating content in the users home
directory share on the filserver or not, but that shouldn't matter.

This is what I have been doing:

Setup a Unix domain member on Debian 12, I do not use PAM mkhomedir,
but I do install pam-mount.
 
Create a test user in AD on A Samba AD DC.

Create an empty directory for the test user in the 'users' share path
on the Unix domain member fileserver.

Log in as the test user on the client. At this point, the empty user
home directory is mounted from the fileserver and is filled by the DE.

When they log out, the users home directory remains on the fileserver,
to be mounted again when they next logon.

However, what this does mean is, while they could logon from a totally
different machine, that machine must be running the same DE, this is
because of the hidden '.' directories (.config for instance) which will
hold the users data for the DE.
 
Rowland