Looking for HOWTO for Neth 7 as AD PDC and file server with Ubuntu and Windows clients

I am completely new to Nethserver.

I am trying to set up a small server as an AD PDC and file server that supports Ubuntu and Windows clients. Users should be able to log in on the client machines and get home directories mounted from the server (there are only four client machines). This seems like it should not be that hard, but I just cannot seem to get it to work with previous attempts with systems other than Nethserver.

I was successful with Zentyal for a while. I set up several VMs as test clients and they worked. Then they stopped working. I still do not know if some update destroyed my configuration or if I somehow did something to change them but none work now and I cannot create a working one from my notes :thumbsdown: I was always fighting with Zentyal and am looking for other alternatives.

From what I understand of Nethserver, I need to install the ā€œnethserver-dcā€ module/package. I need a spare IP for the Samba/DC container. So far so good? I usually use Ubuntu, so CentOS/RHEL/Nethserver is just different enough to trip me up.

The network in question already has a separate DHCP/DNS router.

Is there anyone who has set up clients against Nethserver that mount the usersā€™ home directories from the server? I have not found much on this forum, but perhaps I am not searching for the right things!

I found some documentation on how to set up Ubuntu clients against a FreeNAS server here:

https://forums.freenas.org/index.php?threads/howto-integrate-linux-ubuntu-with-home-on-freenas-via-active-directory.44768/

This is what I used in the past and it sometimes works :-/

Step 1: install nethserver: make sure to set IP to static and to spcify a FQDN as hostname
Step 2: update fully
Step 3: install AD account provider on FQDN specified in Step 1, ignore sssd error if you get it and retry save action
Step 4: Set Administrator passwords
Step 5: Setup DHCP to give the containers IP as DNS server. container being the AD account provider container
Step 6: Install File Server package from the Software Center
Step 7: Create user
Step 8: reboot Windows PC, log in with local admin
Step 9: Join PC to domain using the Administrator account and password from Step 4, reboot when prompted
Step 10: logon to domain using the Administrator account and password from Step 4
Step 11: ANY configuration of the Active Directory should be done with mmc.exe snap-inā€™s EXCEPT for CREATING the users. We did that in step 7, so now we will set the user properties and settings; goto the user properties and open the profile tab, and set the home folder to connect to a drive letter of your choice (make sure it is free on all systems) and enter the the following as path: \servername%username%
Step 11b: (optional) add user to domain admins
Step 12: log off Administrator and logon with the user and verify that the home share is connected

3 Likes

Hi @Kyle_Hayes,

thereā€™s a howto about Debian as client, maybe @fausp also has some experience with ubuntu clients?

https://community.nethserver.org/t/howto-join-debian-9-desktop-to-nethserver-7-active-directory/8608

Hi @Kyle_Hayes
First of all: Welcome to the NethServer community. I hope you like NethServer so far. I am convinced you will love our community :smiley:

There are many related discussions already. Maybe after you read those, you will have some more insights on how NethServer behaves as a DC with Samba 4 and how fileshares work.

And there are many members that also came from Zentyal (including myself)

Hi, its funny, today I tought to myself I should test the debian howto on ubuntuā€¦

I will test xubuntu 16.04, if it is possible to join the NethServer 7 AD.

At the moment I canā€™t tell you how to automount the Homedirectory, but it is on my agendaā€¦

3 Likes

Thanks!

This was one I looked at but it creates local home directories.

The Windows machines are only occasionally around. They are also mostly Windows Home as far as I can tell.

The Windows machines are just for certain applications (some CAD-like apps).

Most of the work is done on Linux. With Zentyal, one of the nice things was that I could give access to the web UI and have some of the users administer the users and shares from there. There is not that much set up or change needed.

Is DNS/DHCP required? Both services already exist on the network via a router that I have little control over. I can assign static IP addresses outside the routerā€™s DHCP range and hard code things in the Linux hostsā€™ /etc/hosts file. I can point the Linux hosts to the Nethserver as the DNS server, but I cannot turn off the DHCP server.

Please try this on xubuntu 16.04:

Info:
Servername = neth7
Domainname = example.org

Now we can join the Domain example.org with:
+-+ Open a Terminal:

+-+ Get root:
sudo su

+-+ install some packages:
apt-get install realmd ntp adcli sssd libsss-sudo libpam-mount cifs-utils

+-+ Join Domain:
realm join --user=administrator example.org

+-+ Add override_homedir and override_shell, on the end:
nano /etc/sssd/sssd.conf
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
override_homedir = /home/%u@%d
override_shell = /bin/bash
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+ Enable and start sssd:
systemctl enable sssd
systemctl start sssd

+-+ (all in one line)
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session

+-+ Set sudoers permission:
echo "administrator@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
echo "admin@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers

+-+ Automount Homedir:
nano /etc/security/pam_mount.conf.xml
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                <!-- Volume definitions -->
<volume user="*" sgrp="domain users@example.org" fstype="cifs" server="neth7" path="%(DOMAIN_USER)" mountpoint="~/nethome" options="nosuid,nodev" />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+ Reboot xUbuntu Desktop:
reboot

+-+ After the reboot, click on other and logon with:
user: administrator@example.org
pass: your-administrator-password

You could probably use some custom templates and get what you want. Not sure if you need AD then.

If you are running an AD, the ADā€™s DNS server should be used by clients. Whatever your DHCP server is, should have an option for DNS servers, and should be giving the clients that require AD authentication or resources on the AD, the AD DNS server and you probably want to use the Nethserver DHCP as well because else your clients will not be registered in the AD DNS.

Doing it this way ensures home shares work out of the box without any extra configuration. But yeah, your windows machines will need to get their IP from Nethserver and use the AD container as DNS if you want it to work like you expect. Else you will be forced to manipulate the DNS records on your other DNS server and inform it there is an AD on your server, and have the DHCP scope adjusted as well.

You could use Netherver as all-in-one. Set it up to be the AD server, Samba server and gateway for these clients. That way you have sepperated your ā€˜stuffā€™ from the rest of the network, and that generally keeps sysadmins happy :slight_smile: Just put an extra NIC in there and use it as red link. Install Nethserver with your companies DNS server and do the rest as stated.

You will then have your own little island where everything behind the Nethserver is out of reach of the rest of the network, and depending on your setup, you can also restrict just about everything the other way.

@fausp, here is the process I used that (mostly!) seems to work:

Ubuntu w/auth and home directories on FreeNAS

There are a few tricks that I may be getting wrong. I had to modify the /etc/krb5.conf file differently:

/etc/krb5.conf:
(use tabs!)

[libdefaults]
    default_realm = MYDOMAIN.LAN
    rdns = no
    dns_lookup_kdc = true
    dns_lookup_realm = false


[realms]
    MYDOMAIN.LAN = {
        # port 88 is where Zentyal ran Kerberos, I think...
        kdc = 10.1.2.3.4:88
    }

[domain_realm]
     .mydomain.lan = MYDOMAIN.LAN
     mydomain.lan = MYDOMAIN.LAN

Mounting the home directories was handled by setting up /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> 
<pam_mount>
    <debug enable="0" />
    <volume user="*" fstype="cifs" server="adserver.mydomain.lan" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=krb5i,cruid=%(USERUID),username=%(DOMAIN_USER)"/>
    <volume user="*" fstype="cifs" server="adserver.mydomain.lan" path="MyShare" mountpoint="/home/%(DOMAIN_USER)/MyShare" options="sec=krb5i,cruid=%(USERUID),username=%(DOMAIN_USER)"/>
    <umount>umount %(MNTPT)</umount>
    <mntoptions allow="nosuid,nodev,loop,encryption,**bleep**,nonempty,allow_root,allow_other" />
    <mntoptions require="nosuid,nodev" />
    <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
    <logout wait="0" hup="0" term="0" kill="0" />
    <mkmountpoint enable="1" remove="false" />
</pam_mount>

I set up sssd as in the link above.

Hi @fausp,

This creates the home directories on the local host, no? I want them mounted from the Neth server.

I had not thought of realmdā€¦ I will look into that. Thanks!

Hi @planet_jeroen,

I do not have dual NIC hardware. The server is an existing piece of hardware that we have. That said, I am leaning more and more toward doing what you said. The room where all the machines are is physically isolated from the rest of the network, so I could set up a dual NIC machine. I think there is a spare PCIe slot, so if I can find a NIC that will workā€¦ Food for thought.

The idea was to have a local homedir and a mountpoint for the serverhomedir.

The pam_mount automaticly mounts the nethserverhomedir to a folder in your local homedir (nethome), after logonā€¦

Hmmā€¦ What I posted was working and it did not leave any empty home directories on the client systems.

Thanks for the tip about realmd. This looks much, much easier!

I will be going to get a USB/Ethernet adapter to add to the server as soon as stores open here (Iā€™m on the Big Pond coast of the US so it is still morning here).

You are welcome ! - Have fun with NethServer ā€¦ :slight_smile:

Unfortunately, I am having problems getting it to work on an Ubuntu 16.04 client.

I have tried doing exactly what you wrote above.

kyle@homesrv2:~$ ssh admin@10.206.2.179
admin@10.206.2.179's password: 
Permission denied, please try again.
admin@10.206.2.179's password: 
Permission denied, please try again.
admin@10.206.2.179's password: 

kyle@homesrv2:~$ ssh administrator@10.206.2.179
administrator@10.206.2.179's password: 
Permission denied, please try again.
administrator@10.206.2.179's password: 
Permission denied, please try again.
administrator@10.206.2.179's password: 

kyle@homesrv2:~$ ssh testuser@10.206.2.179
testuser@10.206.2.179's password: 
Permission denied, please try again.
testuser@10.206.2.179's password: 

Modifying what you had, I was able to get closer. I was able to log into the client machine as any one of the above users, but the CIFS mount always fails. Note that depending on how I am trying to force the mount, the error is not always obvious. The pam_mkhomedir part is hiding the fact that the mount does not work. I get all the directories. When I go onto the NS and put something in one of those shared directories, I do not ever see that file on the client.

I also tried to do it on the command line (the domain is required otherwise I get a different error):

root@domiclient:~# mount -t cifs //domiserv.ad.domistyledesign.lan/testuser /mnt -ouser=testuser,domain=ad.domistyledesign.lan
Password for testuser@//domiserv.ad.domistyledesign.lan/testuser:  *********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

So, perhaps I have an incorrect configuration in my NS?

I set up three users, administrator, admin, and testuser. I am able to use Nautilus to log into the testuser ā€œshareā€ but it comes up as read-only. I do not have guest access enabled.

I tried a different approach as outlined here:

Ubuntu example

That also does not work. I get close. Auth works, the mount does not. I can usually tweak it to the point where I get a permissions error as above.

I am running the latest NS, version 7.4.

I have a Red network on a USB/Ethernet port with a dynamic IP assigned via DHCP. The Red network is 10.206.1.x with a router/gateway at 10.206.1.1.

I have a Green network on the motherboard Ethernet port and am running DHCP on that. The Green network is 10.206.2.x with the NS at 10.206.2.1 and the nsdc container at 10.206.2.2. I can ping both from any client on the Green network.

I can put client machines on the Green network and they can access the Internet, so all that is working.

I can auth against the NS.

I just cannot mount anything.

Is there a way to turn off the password checking in NS? It is extremely frustrating to be testing and have to constantly type complicated and long passwords. Half the time I cannot tell if I mistyped the password or have some other error.

Oops, forgot to mention, I am not finding anything about this permission error in the NS server logs. I looked with journalctl. Where else should I be looking?

And another thing I forgot. The Kerberos part is discoverable:

root@domiclient:~# host -t SRV  _kerberos._udp.ad.domistyledesign.lan 
_kerberos._udp.ad.domistyledesign.lan has SRV record 0 100 88 nsdc-domiserv.ad.domistyledesign.lan.
support@xubuntu:~$ smbtree
Enter support's password:

EXAMPLE
    \\NETH7                         NethServer 7.4.1708 Final (Samba 4.6.2)
            \\NETH7\IPC$            IPC Service (NethServer 7.4.1708 Final (Samba 4.6.2))
            \\NETH7\test            test
            \\NETH7\print$          Printer drivers


support@xubuntu:~$ mkdir testshare

support@xubuntu:~$ sudo mount -t cifs //neth7.example.org/test ~/testshare -ouser=admin@example.org

Password for admin@example.org@//neth7.example.org/test:  ************

support@xubuntu:~$ mount

...
//neth7.example.org/test on /home/support/testshare type cifs (rw,relatime,vers=1.0,cache=strict,username=admin@example.org,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=<Server-IP>,unix,posixpaths,serverino,mapposix,acl,rsize=1048576,wsize=65536,echo_interval=60,actimeo=1,user=admin@example.org)

I will try that. I am rebuilding the server as a VM in Virtualbox. I have two networks, one for Red and one ā€œinternalā€ for Green. The NIC I bought and added appears to have died late last night so I am without hardware for this right now :rage: