HowTo join xUbuntu 16.04 Desktop to NethServer-7 AD and automount ServerHomeDir

fausp · December 28, 2017, 5:08pm

HowTo join xUbuntu 16.04 Desktop to NethServer-7 Active Directory and automount ServerHomeDir

Please feel free to give me a feedback, I mean technically and formally.

Warning:
This is based upon limited testing, and a small number of users. Both, Client and Server, were installed as VPS under Proxmox PVE.

Server prerequisites:
Installed NethServer 7.4 Server and updated from command line. Active Directory has been configured and the domain-name example.org was given.

Client prerequisites:
Installed xubuntu 16.04 (xubuntu-16.04.3-desktop-amd64.iso), with one local user who has local admin rights. DHCP-Client was activ to get an IP from the NethServer who is acting as DHCP-and AD-Server. It is important that the Debian Client can resolv DNS correctly.

**Info:**
Servername = neth7
Domainname = example.org

Now we can join the Domain example.org with:
+-+ Open a Terminal:

+-+ Get root:
sudo su

+-+ install some packages:
apt-get install realmd ntp adcli sssd libsss-sudo libpam-mount cifs-utils

+-+ Join Domain:
realm join --user=administrator example.org

+-+ Add override_homedir and override_shell, on the end:
nano /etc/sssd/sssd.conf
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
override_homedir = /home/%u@%d
override_shell = /bin/bash
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+ Enable and start sssd:
systemctl enable sssd
systemctl start sssd

+-+ (all in one line)
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session

+-+ Set sudoers permission:
echo "administrator@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
echo "admin@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers

+-+ Automount Homedir (all in one line, after Volume definitions ):
nano /etc/security/pam_mount.conf.xml
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
               <!-- Volume definitions -->
<volume user="*" sgrp="domain users@example.org" fstype="cifs" server="neth7" path="%(DOMAIN_USER)" mountpoint="~/nethome" options="nosuid,nodev" />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+ Reboot xUbuntu 16.04 Desktop:
reboot

+-+ After the reboot, click on other and logon with:
user: administrator@example.org
pass: your-administrator-password

mark_nl · June 30, 2018, 8:40pm

Thanx!
going to adapt your HowTo to debian stretch in the next day’s!

Would love to see this pushed to a “e-smith” updated script someone could run on a linux NS-AD client.

mark_nl · July 12, 2018, 9:48am

after joining a fedora client to the AD-domain i did this how to on a debian 9 xfce.

worked perfect!, did not have the chance to test the auto-mounted “nethome”

Followed this How-To to “the letter” except:

override_homedir = /home/%u@%d
override_shell = /bin/bash

in did follow your centos how-to

# Change and add /etc/sssd/sssd.conf:
use_fully_qualified_names = False
fallback_homedir = /home/%u

override_homedir = /home/%u
override_shell = /bin/bash

in the footsteps of my fedora setup: managing sudo right in AD-groups; omitted

+-+ Set sudoers permission:
echo "administrator@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
echo "admin@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers

and created a sudo group in the AD (sudo@example.org) and added the domain admins group to it as members and a regular user (i.e.john@example.org) as well.

The users in the sudo@example.org group have sudo rights on the client.

EDIT: overlooked something (not sure if it is important) just automatically typed ad.example.org:

realm join --user=administrator ad.example.org

instead of:

realm join --user=administrator example.org

fausp · July 12, 2018, 1:54pm

mark_nl:

in the footsteps of my fedora setup: managing sudo right in AD-groups; omitted
+-+ Set sudoers permission:
echo "administrator@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
echo "admin@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
and created a sudo group in the AD ( sudo@example.org ) and added the domain admins group to it as members and a regular user (i.e. john@example.org ) as well.

The users in the sudo@example.org group have sudo rights on the client.

Sounds great, I have to test it…

Yes it is important, I did my HowTos on different domains… This is the reason why I wrote:

# Get your DNS domain name from:
Configuration > Accounts provider > DNS domain name

In the CentOS HowTo…

Vitor_Hugo_Barbosa · December 4, 2019, 8:58pm

hello i dont have this line for instance i think in my ```
/etc/security/pam_mount.conf.xml

<volume user="*" sgrp="domain users@example.org" fstype="cifs" server="neth7" path="%(DOMAIN_USER)" mountpoint="~/nethome" options="nosuid,nodev" />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+ Reboot xUbuntu 16.04 Desktop:
reboot

this will allow to have your docs and folders created with ad login account like roaming profiles, and retrieve 
later on other joined ad computer, i need to check if ive this instruction..... can you corfirm me that please