I have made up a HOWTO based on the details from @fausp and others. I will edit this if there are fixes to be made. I am trying it out on multiple VMs to make sure I have all the steps documented correctly.
The purpose of this HOWTO is to show you how to set up remote home directories on a Nethserver network. The client machines used in this HOWTO are Ubuntu 16.04. Other versions or distributions may need some small changes.
All of this comes from tips and steps from @fausp, @planet_jeroen, @rnneth, and other sources. All the useful content is from their posts. All mistakes are mine.
The Nethserver is set up and the client machine is on the Green network and the Nethserver is running DNS.
Select the Accounts Provider (first or near the first entry in the Configuration section in the web UI) as Active Directory before you do anything else. Then install the File Server module from the Software Center.
Make sure the admin/administrator accounts are set up with passwords. Nethserver authors, please let us have a way to turn off the password complexity checks for debugging!
Your domain is mydomain.ad/MYDOMAIN.AD.
Your Nethserver hostname is
You have set up your client to get an IP (and DNS etc.) from the Nethserver. It is so much easier this way!
Make sure things are working and get root access. Otherwise this gets tedious.
sudo su -
Make sure all updates are installed first.
Install required packages. You need samba-common for the smbtree test at the bottom.
apt install realmd ntp adcli sssd libsss-sudo libpam-mount cifs-utils samba-common smbclient
Find the domain you set up:
This is another test. If you get nothing at all, then you may not have DNS working on your LAN or you may have some other problem. Make sure that the client has a valid IP on the Green network and that it can ping the Nethserver by name before you go any further.
Join the domain and allow everyone access. The -Uadministrator part seems to be necessary otherwise realm will try to use the local user you are (root). The second line might not be required but I have seen a couple of references to it being needed.
realm join -U administrator mydomain.ad
realm permit --all
Set the default domain and override the shell and home directory (otherwise the home dir will get put into
/var/lib/nethserver/home/<user>!). There are multiple edits in the file
[sssd] section, add a default domain suffix. This allows users to log in without specifying the domain as part of the login name. ONLY use this if you have one domain or you really want people to log in to one domain by default! See the last line below with
domains = mydomain.ad
config_file_version = 2
services = nss, pam
default_domain_suffix = mydomain.ad
If you do not provide a default domain suffix, then users will need to login with a fully-qualified user name. E.g.
At the end of the file, add the following lines:
override_homedir = /home/%u@%d
override_shell = /bin/bash
Users’ home directories will be created as
/email@example.com. Note that this matches what Nethserver calls the user shares. There is probably a way to remove the domain, but if you have multiple domains you could run into problems if you have different users in different domains with the same user name.
Set up SSSD to run all the time and start/restart it.
systemctl enable sssd
systemctl start sssd
OPTIONAL: Add configuration to create the home directories on login. If you are setting up home directories for users via pam_mount (see later), this is not necessary. The following should all be on one line.
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session
Allow NS users admin and administrator to use sudo.
echo "firstname.lastname@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
echo "email@example.com ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
Set up pam_mount to automatically mount the user’s home directory. Edit
/etc/security/pam_mount.conf.xml. Find the section labelled
<!-- Volume definitions -->. Below that line, add:
<volume user="*" sgrp="domain firstname.lastname@example.org" fstype="cifs" server="neth.mydomain.ad" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="nosuid,nodev,vers=1.0" />
NOTE: The special variable
%(DOMAIN_USER) will not actually be the user name. It will contain the username and the domain, i.e.
email@example.com. The special variable
%(DOMAIN_NAME) will be empty.
WARNING: The newer kernels used in Ubuntu 16.04 (those updated for Spectre/Meltdown) seem to have changed the default behavior of Samba mounts. You need to add “vers=1.0” to the options in the mount options line! The volume entry above has been updated with this change.
OPTIONAL: If you want to add additional shares, use a similar volume line. Replace
testshare with the name of the real share you created in Nethserver.
<volume user="*" sgrp="domain firstname.lastname@example.org" fstype="cifs" server="neth.mydomain.ad" path="testshare" mountpoint="/home/%(DOMAIN_USER)/testshare" options="nosuid,nodev,vers=1.0" />
Fix up login greeter by creating the file
/etc/lightdm/lightdm.conf.d/00-hide-user-list.conf and adding the following content:
NOTE: this has the effect of also removing guest access. Leave off the last line if you want to allow guest access. You need to restart lightdm (or better, reboot) for this to take effect.
You should see something like this:
\\NETH NethServer 7.4.1708 Final (Samba 4.6.2)
\\NETH\testshare Test Share
\\NETH\IPC$ IPC Service (NethServer 7.4.1708 Final (Samba 4.6.2))
\\NETH\print$ Printer drivers
Try to log in remotely:
Note that the first time you log in via the graphical login it can take a long time to set up the home directory and all the missing dot files.
NOTE: if you did not set up a default domain suffix in
/etc/sssd/sssd.conf, you will need to provide the fully qualified user name
TIP: If things are not working, enable debugging in
/etc/security/pam_mount.conf.xml. It is usually the first real XML expression in the file after the preamble.
<debug enable="0" />
<debug enable="1" />
Remember to turn it off when you are done otherwise a lot of garbage gets sent to the logs and on the command line.