HowTo install Ubuntu MATE 20.04 on encrypted ZFS and join it to Nethserver Samba AD

Part 1 - Installation of Ubuntu MATE 20.04 on encrypted ZFS

Inspired by:

I used ubuntu-mate-20.04-desktop-amd64.iso for the installation.

Step 1: Boot the Ubuntu Desktop live CD/DVD and click on “Try Ubuntu MATE without installing”

Step 2: Open a terminal and edit zsys-setup
nano /usr/share/ubiquity/zsys-setup

Step 3: Search the zpool create entry with the rpool on the end

Step 4: Edit it as shown in the screenshot and use your own password instead of Passwort

Step 5: Type the command ubiquity to start the installer
grafik

And Erase disk and use ZFS under Advanced features…

Part 2 - Join the Nethserver Samba AD

In my setup, I use Nethserver 7.7 as DHCP and DNS server. Be sure that your Ubuntu Client get an IP-Adress and DNS-Information from the server.

Optional: Install ssh service on the client to be able to copy and paste commands

Install SSH server:
sudo apt install ssh

Enable and start SSH server daemon:
sudo systemctl enable --now ssh

Check SSH server status:
sudo systemctl status ssh

Get IP address:
ip a

Connect from another Computer:
ssh username@Your-Server-IP

Step 1: Install required packages

sudo apt update
sudo apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

Step 2: Check domain configuration

sudo realm discover ad.yourdomain.lan

This should look like:

ad.yourdomain.lan
  type: kerberos
  realm-name: AD.YOURDOMAIN.LAN
  domain-name: ad.yourdomain.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

You can see what packages are required…

Step 3: Join Ubuntu Client to the Nethserver Samba AD

sudo realm join -U Administrator ad.yourdomain.lan

Step 4: Create user’s home directory

sudo bash -c "cat > /usr/share/pam-configs/mkhomedir" <<EOF
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
EOF

Step 5: Activate users’ home directory

sudo pam-auth-update

Step 6: Configure Sudo Access

sudo echo "" | sudo tee -a /etc/sudoers
sudo echo "# Allow Nethserver Admins" | sudo tee -a /etc/sudoers
sudo echo "administrator@ad.yourdomain.lan ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
sudo echo "admin@ad.yourdomain.lan ALL=(ALL) ALL" | sudo tee -a /etc/sudoers

Step 6a: Automount homedir

Install some packages
sudo apt-get install ntp adcli libsss-sudo libpam-mount cifs-utils

Edit pam_mount.conf.xml
sudo nano /etc/security/pam_mount.conf.xml

Place the Volume definitions on the end of the xml file before </pam_mount>

<!-- Volume definitions -->
<volume user="*" sgrp="domain users@ad.yourdomain.lan" fstype="cifs" server="your-servername" path="%(DOMAIN_USER)" mountpoint="~/nethome/home" options="nosuid,nodev" />
<volume user="*" sgrp="domain users@ad.yourdomain.lan" fstype="cifs" server="your-servername" path="share1" mountpoint="~/nethome/share1" options="nosuid,nodev" />
<volume user="*" sgrp="domain users@ad.yourdomain.lan" fstype="cifs" server="your-servername" path="share2" mountpoint="~/nethome/share2" options="nosuid,nodev" />

Step 7: Allow manual login

Reboot your Client now

Step 8: Logon as Domain user

First we need the ZFS password

Second the domain user credentials

Added Step 6a…

8 Likes

nice,
hopefully your workstation have more RAM than my laptop 4GB is very short with ZFS.

Yes, ZFS needs a bit more RAM. I just tried it in a VM with 4GB…

hello fausp

on your pam_mount the path = share is the share created on nethserver gui i suppose?
instead of path=/var/lib/nethserver/ibay/share (it means that pam xml doesn’t need the full nethserver share path…

secondly, the mount point is the pointed workstation home path that you are joining into AD nethserver… right?

best regards

Yes, it is a nethserver share.

Yes, it is working this way for me.

All shares, the user-home and the other shares are mounted into the local filesystem of the client…

Holy cow ! I want this working so bad I will try it on

Linux mint 19.3 and on ubuntu 20.04 also

Thanks man

You are welcome!

Hi there,

after some years on SME I decided to switch to nethserver some weeks ago.

As we only use Kubuntu client machines (5 of them) I joined them to nethserver AD along this howto, second part without ZFS. I also created my users in nethserver and gave them a standard password for them to change later. So I called my colleagues, had them change their password in the web interface on my machine and then log in to their machine, and all was working and fine.

Some days later two of my colleagues decided to switch workplaces, but one of them found he can not login to the other Kubuntu machine using his (self created) password. After some testing I found that the standard password which I gave the user account when creating it still works for that Kubuntu machine, but on his former machine only the self created password works. To mount any CIFS shares he has to use the new password on both machines.

Meanwhile we experienced this problems on other Kubuntu machines and with other user accounts as well but I don’t see a pattern yet. Is there some kind of credential caching on the Kubuntu machines?

@manuel_o

Hi Manual

Welcome to the NethServer Community!

Even Windows has AD Caching…
On any Windows Notebook, you can log in to AD (!) even if you’re completely offline.
Only requirement for this to work is that you’ve logged in to the AD before.

All Systems which use Samba must - more or less - also fulfill this!

But where the caching exactly is in Kubuntu… No idea! :slight_smile:

What helps:

If NethServer is your AD, it should also be your Internal DNS.
In DNS, create an entry “ad.yourdomain.com” pointing to the IP of your AD (Not NethServer).
Also create an entry for your NethServer…

My 2 cents
Andy

PS: I’m also a several years SME User - just changed in 2017… :slight_smile:

Hi Andy, thanks for your reply and the hints.

I only have one nethserver-machine which does AD, DNS and DHCP. Also ad.mydomain is immediately pingable form each client. So that should work.

I have not found anything about caching on Linux clients so I did a realm leave on each client and rejoined them to ad.mydomain and now they all work. At least until one user changes his password again.

1 Like

A post was split to a new topic: Access Denied to AD Users from Kubuntu clients joined to domain