samba - Dec 2024 - Linux desktop setup with authentication against Samba AD DC

On 04.12.2024 10:39, Rowland Penny via samba wrote:
> On Tue, 3 Dec 2024 18:59:59 +0100
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>>
>> On 03.12.2024 17:22, Rowland Penny via samba wrote:
>>> On Mon, 2 Dec 2024 10:29:22 +0100
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>>>> Peter
>>>>> So, it works with Gnome.
>>>>> It appears that, provided all the required packages can be
>>>>> installed, it will probably work on any distro, I cannot
test them
>>>>> all ;-)
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> Oh, c'mon Rowland (^_^)
>>>>
>>>> I'm going to start duplicating from a master image.
Let's see what
>>>> surprises I get from UEFI...
>>>>
>>>> Peter
>>> I looked into Rocky Linux a bit further and found a repo for
hxtools
>>> and set pam_mount up on Rocky and it works, just like on Debian.
>>>
>>> To date, I have working examples on Debian Gnome, XCFE and MATE.
>>> However the MATE version has problems with the panels, they keep
>>> segfaulting but the user gets logged in and the home directory
>>> share is mounted, so it looks like pam-mount is working. I have
>>> also have working examples on LMDE6 with the Cinnamon desktop and
>>> on Rocky Linux 9 with the Gnome desktop.
>>>
>>> It appears that you just need 3 things:
>>>
>>> A Samba AD DC to create users on.
>>>
>>> A Samba Unix domain member to share the users home directory from.
>>>
>>> A Samba Unix domain member to act as the client, with pam_mount,
>>> hxtools and cifs-utils installed and configured correctly.
>>>
>>> The only real downside I can see is, because of the various
>>> different configuration files that the different desktops use, it
>>> is very probably limited to one desktop per domain.
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland,
>>
>> You can add Archlinux also.
>>
>> I'm not really sure what you mean by one desktop per domain.
>>
>> Let's say you configure user home directories for a large group of
>> users.
>>
>> Then you can create one master with LXDE on Debian, another master
>> Gnome on Archlinux, another master with Fluxbox on Rocky Linux ...
>>
>> There are no centrally stored machine profiles. There are only user
>> profiles stored on a common server. When the user logs on for the
>> first time, the profile is created with all folders and default
>> settings, according to what's defined in the distribution's
defaults.
>> Let's say PCs with different distributions are not mixed between
>> different locations, then I don't really see any problems. If OTOH
>> there's a mix of PCs with different distributions available on one
>> site, then you probably hit a brick wall with incompatibilities. Then
>> the concept is not viable without extensive administration.
>>
>> My intention was setting up one type of PC with a specific Linux
>> distribution, with a specific desktop. If you're the modern sort of
>> sysadmin, you could let the users have vote on it first. But when the
>> decision is made, it must be set in concrete.
>>
>> Administration must be dead simple, deploying new PCs in a snap,
>> otherwise the whole concept defeats its purpose, and you could as
>> well jump onto the Azure bandwagon. This concept is probably best
>> suited for limited work groups with common requirements.
>>
>> For those deploying many Linux PCs, it's probably useful to set up
>> some kind of central management for updates, and other tasks. But
>> that's another beast.
>>
>> Best regards,
>>
>> Peter
>>
>>
>>
> Ah, I think I understand what you are describing and to put it in
> Windows terms, you are using something like a mandatory profile.
>
> To me, it looks like you appear to be creating your own distro and
> installing it on the clients, then the user logs into the client and the
> users home directory is mounted from another Samba fileserver.
>
> Now, I do not know whether you are creating content in the users home
> directory share on the filserver or not, but that shouldn't matter.
>
> This is what I have been doing:
>
> Setup a Unix domain member on Debian 12, I do not use PAM mkhomedir,
> but I do install pam-mount.
>   
> Create a test user in AD on A Samba AD DC.
>
> Create an empty directory for the test user in the 'users' share
path
> on the Unix domain member fileserver.
>
> Log in as the test user on the client. At this point, the empty user
> home directory is mounted from the fileserver and is filled by the DE.
>
> When they log out, the users home directory remains on the fileserver,
> to be mounted again when they next logon.
>
> However, what this does mean is, while they could logon from a totally
> different machine, that machine must be running the same DE, this is
> because of the hidden '.' directories (.config for instance) which
will
> hold the users data for the DE.
>   
> Rowland
>
Hi Rowland,

Essentially, my setup is mandatory in the context of what features are 
available to the users. Otherwise it's a vanilla Debian. The basic 
functionality is identical to a NFS setup with the users home 
directories stored on a server. When the user first logs in, there is an 
empty home directory mounted under /home/<user>, which is automatically 
filled with all the LXDE desktop folders, and default settings, exactly 
as would have happened if the user have had a local account and logged 
in for the first time. IMHO, the possibility of duplicating the setup 
from a master, doesn't leverage the setup to a distribution.

Your solution is an alternative, and I guess some prefer your setup. The 
main thing is that the concept is viable, useful and efficent.

Best regards,

Peter

On Wed, 4 Dec 2024 14:25:15 +0100
Peter Milesson via samba <samba at lists.samba.org>
wrote:
> Hi Rowland,
> 
> Essentially, my setup is mandatory in the context of what features
> are available to the users. Otherwise it's a vanilla Debian. The
> basic functionality is identical to a NFS setup with the users home 
> directories stored on a server. When the user first logs in, there is
> an empty home directory mounted under /home/<user>, which is
> automatically filled with all the LXDE desktop folders, and default
> settings, exactly as would have happened if the user have had a local
> account and logged in for the first time. IMHO, the possibility of
> duplicating the setup from a master, doesn't leverage the setup to a
> distribution.
> 
> Your solution is an alternative, and I guess some prefer your setup.
> The main thing is that the concept is viable, useful and efficent.
> 
I think the difference between your method and mine is very limited. I
just use the standard Debian 12 install with Samba from backports
running as a Unix domain member. You are using a modified install (with
things removed and other things added ??).

After that, we both do the same, first time a user logs on, an empty
share is mounted and the distro fills it in (just as it does if
pam-mkhomedir is used).

So, yes, I think we can say it is viable, useful and efficent.

Rowland