HOWTO for Neth 7 as AD PDC and file server with Ubuntu and Windows clients

I have made up a HOWTO based on the details from @fausp and others. I will edit this if there are fixes to be made. I am trying it out on multiple VMs to make sure I have all the steps documented correctly.

PURPOSE:

The purpose of this HOWTO is to show you how to set up remote home directories on a Nethserver network. The client machines used in this HOWTO are Ubuntu 16.04. Other versions or distributions may need some small changes.

CREDITS:

All of this comes from tips and steps from @fausp, @planet_jeroen, @rnneth, and other sources. All the useful content is from their posts. All mistakes are mine.

ASSUMPTIONS:

• The Nethserver is set up and the client machine is on the Green network and the Nethserver is running DNS.

• Select the Accounts Provider (first or near the first entry in the Configuration section in the web UI) as Active Directory before you do anything else. Then install the File Server module from the Software Center.

• Make sure the admin/administrator accounts are set up with passwords. Nethserver authors, please let us have a way to turn off the password complexity checks for debugging!

• Your domain is mydomain.ad/MYDOMAIN.AD.

• Your Nethserver hostname is neth.mydomain.ad.

• You have set up your client to get an IP (and DNS etc.) from the Nethserver. It is so much easier this way!

STEPS:

0. Make sure things are working and get root access. Otherwise this gets tedious.

    ping neth.mydomain.ad
    ping nsdc-neth.mydomain.ad
    sudo su -
   

1. Make sure all updates are installed first.

    apt update
    apt upgrade
   

2. Install required packages. You need samba-common for the smbtree test at the bottom.

    apt install realmd ntp adcli sssd libsss-sudo libpam-mount cifs-utils samba-common smbclient
   

3. Find the domain you set up:

      realm discover
   

   This is another test. If you get nothing at all, then you may not have DNS working on your LAN or you may have some other problem. Make sure that the client has a valid IP on the Green network and that it can ping the Nethserver by name before you go any further.

4. Join the domain and allow everyone access. The -Uadministrator part seems to be necessary otherwise realm will try to use the local user you are (root). The second line might not be required but I have seen a couple of references to it being needed.

    realm join -U administrator mydomain.ad
    realm permit --all
   

5. Set the default domain and override the shell and home directory (otherwise the home dir will get put into /var/lib/nethserver/home/<user>!). There are multiple edits in the file /etc/sssd/sssd.conf.

   In the [sssd] section, add a default domain suffix. This allows users to log in without specifying the domain as part of the login name. ONLY use this if you have one domain or you really want people to log in to one domain by default! See the last line below with default_domain_suffix.

    [sssd]
    domains = mydomain.ad
    config_file_version = 2
    services = nss, pam
    default_domain_suffix = mydomain.ad
   

   If you do not provide a default domain suffix, then users will need to login with a fully-qualified user name. E.g. ssh user@mydomain.ad@host.net.lan.com.

   At the end of the file, add the following lines:

    override_homedir = /home/%u@%d
    override_shell = /bin/bash
   

   Users’ home directories will be created as /home/user@mydomain.ad. Note that this matches what Nethserver calls the user shares. There is probably a way to remove the domain, but if you have multiple domains you could run into problems if you have different users in different domains with the same user name.

6. Set up SSSD to run all the time and start/restart it.

    systemctl enable sssd
    systemctl start sssd
   

7. OPTIONAL: Add configuration to create the home directories on login. If you are setting up home directories for users via pam_mount (see later), this is not necessary. The following should all be on one line.

    echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session
   

8. Allow NS users admin and administrator to use sudo.

    echo "administrator@mydomain.ad ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
    echo "admin@mydomain.ad ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
   

9. Set up pam_mount to automatically mount the user’s home directory. Edit /etc/security/pam_mount.conf.xml. Find the section labelled <!-- Volume definitions -->. Below that line, add:

    <volume user="*" sgrp="domain users@mydomain.ad" fstype="cifs" server="neth.mydomain.ad" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="nosuid,nodev,vers=1.0" />
   

   NOTE: The special variable %(DOMAIN_USER) will not actually be the user name. It will contain the username and the domain, i.e. user@mydomain.ad. The special variable %(DOMAIN_NAME) will be empty.

   WARNING: The newer kernels used in Ubuntu 16.04 (those updated for Spectre/Meltdown) seem to have changed the default behavior of Samba mounts. You need to add “vers=1.0” to the options in the mount options line! The volume entry above has been updated with this change.

10. OPTIONAL: If you want to add additional shares, use a similar volume line. Replace testshare with the name of the real share you created in Nethserver.

    <volume user="*" sgrp="domain users@mydomain.ad" fstype="cifs" server="neth.mydomain.ad" path="testshare" mountpoint="/home/%(DOMAIN_USER)/testshare" options="nosuid,nodev,vers=1.0" />
    

11. Fix up login greeter by creating the file /etc/lightdm/lightdm.conf.d/00-hide-user-list.conf and adding the following content:

    [SeatDefaults]
    greeter-hide-users=true
    greeter-show-manual-login=true
    allow-guest=false
    

    NOTE: this has the effect of also removing guest access. Leave off the last line if you want to allow guest access. You need to restart lightdm (or better, reboot) for this to take effect.

12. Test!

    smbtree -Uadmin
    

    You should see something like this:

    MYDOMAIN
    	\\NETH           		NethServer 7.4.1708 Final (Samba 4.6.2)
        	\\NETH\testshare      	Test Share
        	\\NETH\IPC$           	IPC Service (NethServer 7.4.1708 Final (Samba 4.6.2))
        	\\NETH\print$         	Printer drivers
    

Try to log in remotely:

    ssh admin@client.mydomain.ad

Note that the first time you log in via the graphical login it can take a long time to set up the home directory and all the missing dot files.

NOTE: if you did not set up a default domain suffix in /etc/sssd/sssd.conf, you will need to provide the fully qualified user name admin@mydomain.ad:

   ssh admin@mydomain.ad@client.mydomain.ad

TIP: If things are not working, enable debugging in /etc/security/pam_mount.conf.xml. It is usually the first real XML expression in the file after the preamble.

   <debug enable="0" />

Make that:

   <debug enable="1" />

Remember to turn it off when you are done otherwise a lot of garbage gets sent to the logs and on the command line.

Great work! I love our community just creating a howto out of a support question in 2 days, awesome!

Thanks to the others who contributed the content!

Now if I could just solve my FTP problem…

Congratulation, good work, well done !

Shoot … I have a running FTPES on my member-file server … still trying to find to get to wrinting the howto (doubles as my documentation )

Please! That is why I wrote up the HOWTO as well. If I can use it and make it work five or six times in a row, then it is probably good and now the Internet has backed up my HOWTO

I have another problem to solve before I get to FTP now. It looks like the built in NIC on the motherboard is bad. I thought it was the cheap USB Ethernet adaptor I bought, but now that I replaced that with a PCIe NIC, I still get hard lock ups under heavy network traffic.

Playing five or six Youtube videos or a really large torrent download (a well-seeded download) will do it. SUSE Leap downloading via torrent seems to cause it on demand. Without network load, the system seems stable. Grrrr…

I found a problem with my original set up (not in the HOWTO above). I had multiple folders mounted in the pam_mount.conf.xml file. The volumes section looked like this:

<volume user="*" sgrp="domain users@mydomain.ad" fstype="cifs" server="neth.mydomain.ad" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="nosuid,nodev" />
<volume user="*" sgrp="domain users@mydomain.ad" fstype="cifs" server="neth.mydomain.ad" path="share1" mountpoint="/home/%(DOMAIN_USER)/share1" options="nosuid,nodev" />
<volume user="*" sgrp="domain users@mydomain.ad" fstype="cifs" server="neth.mydomain.ad" path="share2" mountpoint="/home/%(DOMAIN_USER)/share1/share2" options="nosuid,nodev" />

So each user would get /home/user/share1/share2. That was the idea. Immediately after a reboot, this would work every time. However, after multiple, rapid login/logout sequences where I changed users each time, I started to see that share2 was not being mounted. There were no errors that I could find anywhere in any log. I set debug on and still no errors. I flattened the structure out so that share1 and share2 both were mounted into the user’s home directory and the problems stopped.

Is this a bug in pam_mount or something that is documented but I missed it?

WARNING: I just had to tweak the volume configuration again. Due to the Meltdown/Spectre kernel updates, all my Ubuntu 16.04 machines updated to kernel 4.13. Apparently that changes some part of the CIFS/SMB behavior as a client. I was getting really odd errors where files would appear with ls, but if you tried to read the file you would get a “file not found” error. The solution was to add the vers=1.0 extra option to the option strings in the above volumes. At least so far this seems to be working.

Hello,

is there a possibility that the home directory is mirrored on the computer?

It’s not a problem with the stationary computers, but what to do if you want to use the family laptop somewhere else.

Or is this idea to be rejected immediately?

Interesaant would still be a script that can automate the installation and setup.
Where the effort is not great but it must be stopped on all computers …

But the HowTo is TOP!
Good job!

Thank you

There is another HOWTO that shows that… Let’s see where that was…

OK, I am not correct. I thought that there was a howto on that. I am not seeing it now

It is possible. I know that when I looked online to find instructions on how to to the above HOWTO, I found examples of “roaming profiles” with Linux clients.

That said, this HOWTO is not for that particular use case.

It would be possible to skip the mount parts, use pam_mkhomedir (double check the name of the PAM module) and some pre/post login scripts to run rsync or something. The first login might take a loooooooooong time if the user has a lot of files.

If you have an all-Linux system, you might want to look at AndrewFS or something similar.

Has anyone tested it with Ubuntu 17.10 or the upcomming 18.04 (nightly build)?

I was able to install both on a ZFS rootFS, also joined the NS7 Domain, but got an error when I tried to logon on the GUI with a Domain-User…

pam_sss(gdm-password:auth): received for user xxx (User not known to the underlying authentication module)

Feb  1 19:56:22 xubuzfs lightdm: pam_unix(lightdm:auth): check pass; user unknown
Feb  1 19:56:22 xubuzfs lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
Feb  1 19:56:22 xubuzfs lightdm: pam_sss(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=admin@example.org
Feb  1 19:56:22 xubuzfs lightdm: pam_sss(lightdm:auth): received for user admin@example.org: 10 (User not known to the underlying authentication module)
Feb  1 19:56:24 xubuzfs lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
Feb  1 19:56:24 xubuzfs lightdm: PAM adding faulty module: pam_kwallet.so
Feb  1 19:56:24 xubuzfs lightdm: PAM unable to dlopen(pam_kwallet5.so): /lib/security/pam_kwallet5.so: cannot open shared object file: No such file or directory
Feb  1 19:56:24 xubuzfs lightdm: PAM adding faulty module: pam_kwallet5.so
Feb  1 19:56:27 xubuzfs realmd[2820]: quitting realmd service after timeout
Feb  1 19:56:27 xubuzfs realmd[2820]: stopping service

Any suggestions ?

OK, got it…

nano /etc/lightdm/lightdm.conf

[SeatDefaults]
allow-guest=false
greeter-show-manual-login=true

to be able to logon on GUI after ad join on a xUbuntu 17.10 Desktop…

See Step 11 in the HOWTO. What you have is not quite the same. If you try to use the same configuration does it not work? If not, I will update the HOWTO so that it shows the slight change for 17.10. Thanks!

I can try that and give you a feedback…

That’s a great howto! Very detailed post, thanks for posting it.

Hi there!

Great HowTo! Thanks @Kyle_Hayes for putting effort into compiling this instruction.

I’ve managed to get Ubuntu 32 bit 16.04 LTS work like a breeze.

However I’, facing a problem with 64 bit 16.04 LTS. I can join the AD, logon via terminal and access all my files. No problem. But when I logon via lightdm some interesting (?) things happens. The desktop appears with all the files I have on it, as normally. But the launcher to the left shows up for less than a second an then disappears!? In syslog I get this error message, which I suspect is related:

Blockquote (update-manager:7337): dconf-WARNING **: failed to commit changes to dconf: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code2: Failed to rename file ‘/home/name@ad.server/.config/dconf/user.BRVNFZ’ to ‘/home/name@ad.server/.config/dconf/user’: g_rename() failed: Permission denied > Blockquote

Then I try a freshly installed Ubuntu 64 bit 17.10 with no success unfortunately. I cannot start sssd.service and systemctl status sssd gives this message:

Blockquote sssd[1504]: tkey query failed: GSSAPI error: Major = Unspecified GSS failure Minor code may provide more information, Minor = Server not found in Kerberos database > Blockquote

Any ideas on what might be wrong? Have I misconfigured my nethserver? All suggestions will be highly appreciated since I for now have to keep my old Zentyal server, which I would prefer to ditch as soon as possible.

Kind regards
/Mathias

Ok, let’s move forward here

It does not work for me.
The following manual command is executed correctly:
mount -t cifs -o username=abc //server/abc@ad.domain.de /home/abc.
The home directory of abc gets mounted.
In pam_mount.conf.xml I have:
’<volume user="*" fstype=“cifs” server=“server” path="%(USER)" mountpoint="/home/%(USER)" 'options=“nosuid,nodev,vers=1.0” />
The resulting pam_mount command is:
mount ‘-t’ ‘cifs’ ‘//server/abc@ad.domain.de’ '/home/abc ‘-o’ 'username=abc@ad.domain.de,uid=xxx,gid=xxx,nosuid,nodev,
vers=1.0’
This command fails. The server reports:
'domain_client_validate: unable to validate password for user abc@ad.domain.de in domain LAN to Domain controller NSDC-xxx.AD.DOMAIN.DE. Error was NT_STATUS_WRONG_PASSWORD.'
In fact the user can login to this server; ‘abc@ad.domain.de’ works as well as ‘abc’ with the same password.
What the hell …?

/etc/security/pam_mount.conf.xml:

               <!-- Volume definitions -->
<volume user="*" sgrp="domain users@example.org" fstype="cifs" server="neth7" path="%(DOMAIN_USER)" mountpoint="~/nethome" options="nosuid,nodev" />

Change the servername (neth7) and domainname (example.org). The rest should be OK…