samba - Dec 2024 - Linux desktop setup with authentication against Samba AD DC

On Wed, 25 Dec 2024 12:25:01 +0100
Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
> 
> 
> On 23.12.2024 11:49, Rowland Penny via samba wrote:
> > On Mon, 16 Dec 2024 13:23:54 +0100
> > Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> >
> >> Mandi! Rowland Penny via samba
> >>    In chel di` si favelave...
> >>
> >>> I tested on Gnome, MATE and XFCE on Debian 12, Cinnamon on
Lmde6
> >>> and on Rocky Linux 9 and the only one that gave any problem
was
> >>> MATE and that is a problem in its code (somewhere), it mounts
but
> >>> is unusable.
> >> Surely more then me. ;-)
> >>
> >>
> >> You've also setup a wiki page for that? Can i help?
> >>
> > Okay, I have finally documented my version of this, the delay was
> > caused by:
> > A) it is Xmas
> > B) While I could get the desktop to mount, I found that GNOME &
> > Cinnamon wouldn't unmount it at logout.
> >
> > I finally traced this to a timing problem, XCFE is quite happy with
> > ' logout wait="200000"', Gnome & Cinnamon
require 'logout
> > wait="2000000"'
> >
> > I also wrote a small bash script to create the users home directory
> > on the 'fileserver' on the fly.
> >
> > You can find my notes here:
> >
> >
https://github.com/hortimech/Samba/blob/main/Mounting%20a%20domain%20users%20home%20directory%20at%20logon
> >
> > Rowland
> >
> >
> Hi Rowland,
> 
> Great write up.
> 
> But I don't understand the purpose of the homes share in smb.conf in 
> this context. It's really not necessary. The user's home directory
> gets created on logon, and is removed (hopefully) at? logoff by
> pam-mount. My specific aim was to make sure any files or directories
> on the client are removed after logoff.
As I said in my tutorial, you need a minimum of 3 'computers':
A DC to create the users on
A fileserver to store the users home directory on
A client.

In my setup, pam mount on the client mounts a share from the
fileserver. This share must exist, but it must be initially empty, this
is where the 'homes' share and the 'root preexec' script comes
in. The
client authenticates the user from the DC, then pam_mount attempts to
mount the users home directory from the fileserver and, if this is the
first logon ever for the user, the 'root preexec' script creates the
empty users share. Once pam_mount has mounted the share, The users home
directory is initially populated on the client and because it is a
mount, it is also populated on the fileserver, when the user logs out,
all traces of that user are removed from the computer, but remain on
the fileserver, ready for next logon, a bit like roaming profiles, but
without the wait.
> 
> Anyway, I replicated 10 PCs (identical hardware) from my master
> image. Each PC took less than 10 minutes to configure. This included
> copying the .xsessionrc to each user home directory on the server.
> Copying the master image over the network took some time, however.
> That of course depends on the disk size and network speed. But one
> can do other tasks while the copy process is running.
I am not entirely sure just what you are doing, but it sounds similar
to installing a distro and then configuring pam_mount.

On 25.12.2024 13:14, Rowland Penny via samba wrote:
> On Wed, 25 Dec 2024 12:25:01 +0100
> Peter Milesson via samba<samba at lists.samba.org> wrote:
>
>>
>>
>> On 23.12.2024 11:49, Rowland Penny via samba wrote:
>>> On Mon, 16 Dec 2024 13:23:54 +0100
>>> Marco Gaiarin via samba<samba at lists.samba.org> wrote:
>>>
>>>> Mandi! Rowland Penny via samba
>>>>     In chel di` si favelave...
>>>>
>>>>> I tested on Gnome, MATE and XFCE on Debian 12, Cinnamon on
Lmde6
>>>>> and on Rocky Linux 9 and the only one that gave any problem
was
>>>>> MATE and that is a problem in its code (somewhere), it
mounts but
>>>>> is unusable.
>>>> Surely more then me. ;-)
>>>>
>>>>
>>>> You've also setup a wiki page for that? Can i help?
>>>>
>>> Okay, I have finally documented my version of this, the delay was
>>> caused by:
>>> A) it is Xmas
>>> B) While I could get the desktop to mount, I found that GNOME &
>>> Cinnamon wouldn't unmount it at logout.
>>>
>>> I finally traced this to a timing problem, XCFE is quite happy with
>>> ' logout wait="200000"', Gnome & Cinnamon
require 'logout
>>> wait="2000000"'
>>>
>>> I also wrote a small bash script to create the users home directory
>>> on the 'fileserver' on the fly.
>>>
>>> You can find my notes here:
>>>
>>>
https://github.com/hortimech/Samba/blob/main/Mounting%20a%20domain%20users%20home%20directory%20at%20logon
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland,
>>
>> Great write up.
>>
>> But I don't understand the purpose of the homes share in smb.conf
in
>> this context. It's really not necessary. The user's home
directory
>> gets created on logon, and is removed (hopefully) at? logoff by
>> pam-mount. My specific aim was to make sure any files or directories
>> on the client are removed after logoff.
> As I said in my tutorial, you need a minimum of 3 'computers':
> A DC to create the users on
> A fileserver to store the users home directory on
> A client.
>
> In my setup, pam mount on the client mounts a share from the
> fileserver. This share must exist, but it must be initially empty, this
> is where the 'homes' share and the 'root preexec' script
comes in. The
> client authenticates the user from the DC, then pam_mount attempts to
> mount the users home directory from the fileserver and, if this is the
> first logon ever for the user, the 'root preexec' script creates
the
> empty users share. Once pam_mount has mounted the share, The users home
> directory is initially populated on the client and because it is a
> mount, it is also populated on the fileserver, when the user logs out,
> all traces of that user are removed from the computer, but remain on
> the fileserver, ready for next logon, a bit like roaming profiles, but
> without the wait.
>
>> Anyway, I replicated 10 PCs (identical hardware) from my master
>> image. Each PC took less than 10 minutes to configure. This included
>> copying the .xsessionrc to each user home directory on the server.
>> Copying the master image over the network took some time, however.
>> That of course depends on the disk size and network speed. But one
>> can do other tasks while the copy process is running.
> I am not entirely sure just what you are doing, but it sounds similar
> to installing a distro and then configuring pam_mount.
>
>
>
Hi Rowland,

I have done a complete Debian installation on the master image, with all 
necessary packages from backports. I have set up all necessary 
prerequisites, and configured the appropriate files (krb5.conf, 
smb.conf, user.map, pam_mount.conf.xml, common-session). To replicate 
the master installation I only need to modify a few files on the target. 
I also needed to make sure that there are no .tdb files in 
/var/cache/samba and /var/lib/samba, and that smbd.service and 
winbind.service are initially set as disabled. When replicating the 
master image, the only changes I need to make on different new client 
PCs after copying the master, are the following (disconnected from the 
network):

- Set hostname in /etc/hostname
- Set full hostname and the name part in /etc/hosts
- Power off
- Connect the PC to the network
- Start the PC
- Check that there is connection with the AD DC (that is, DNS is working)
- Join the domain
- Enable and start smbd.service and winbind.service.

If setting up for a different domain, the following files need to be 
changed before the above:

- default_realm in /etc/krb5.conf
- realm in /etc/samba/smb.conf
- workgroup in /etc/samba/smb.conf
- idmap config <samdom> : range = <start>-<end> in
/etc/samba/smb.conf
- idmap config <samdom> : backend = rid in /etc/samba/smb.conf
- <SAMDOM>\Administrator in /etc/samba/user.map
- Set the appropriate values in the <volume> entry in 
/etc/security/pam_mount.conf.xml
- Create the file gvfs-daemon.service under /etc/systemd/user (otherwise 
kerberos wont work)

If the target hardware is setup for secure boot, you're out of luck. 
Then one needs to make a complete installation with all required 
packages.? However, copying the configuration files from the master 
image still saves lots of time. Then there are all sorts of problems to 
solve, if the target disk is smaller than the master disk image, but 
that's out of scope here.

That is not my view of creating a distribution. I have just created a 
template disk image that is very rapidly deployed to other hardware.

 From the Samba point of view, I wanted a configuration that allows the 
Linux users profiles stored on a SMB server, that the user's profile 
directory is automatically created under /home/<user> and mapped to the 
user's profile on a share on the server, and that the user's profile 
directory is automatically unmounted, and the /home/<user> directory is 
deleted after logoff.

After two weeks of real use, the whole concept seems to work as intended 
from all aspects, and feels really solid. Compared to the old mix of 
dedicated thin clients and ThinStation PCs booting over PXE, the Linux 
PC setup is completely flexible in every respect.

Best regards,

Peter