Looking for HOWTO for Neth 7 as AD PDC and file server with Ubuntu and Windows clients

Please try this on xubuntu 16.04:

Info:
Servername = neth7
Domainname = example.org

Now we can join the Domain example.org with:
+-+ Open a Terminal:

+-+ Get root:
sudo su

+-+ install some packages:
apt-get install realmd ntp adcli sssd libsss-sudo libpam-mount cifs-utils

+-+ Join Domain:
realm join --user=administrator example.org

+-+ Add override_homedir and override_shell, on the end:
nano /etc/sssd/sssd.conf
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
override_homedir = /home/%u@%d
override_shell = /bin/bash
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+ Enable and start sssd:
systemctl enable sssd
systemctl start sssd

+-+ (all in one line)
echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | sudo tee -a /etc/pam.d/common-session

+-+ Set sudoers permission:
echo "administrator@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
echo "admin@example.org ALL=(ALL) ALL" | sudo tee -a /etc/sudoers

+-+ Automount Homedir:
nano /etc/security/pam_mount.conf.xml
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                <!-- Volume definitions -->
<volume user="*" sgrp="domain users@example.org" fstype="cifs" server="neth7" path="%(DOMAIN_USER)" mountpoint="~/nethome" options="nosuid,nodev" />
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

+-+ Reboot xUbuntu Desktop:
reboot

+-+ After the reboot, click on other and logon with:
user: administrator@example.org
pass: your-administrator-password

You could probably use some custom templates and get what you want. Not sure if you need AD then.

If you are running an AD, the AD’s DNS server should be used by clients. Whatever your DHCP server is, should have an option for DNS servers, and should be giving the clients that require AD authentication or resources on the AD, the AD DNS server and you probably want to use the Nethserver DHCP as well because else your clients will not be registered in the AD DNS.

Doing it this way ensures home shares work out of the box without any extra configuration. But yeah, your windows machines will need to get their IP from Nethserver and use the AD container as DNS if you want it to work like you expect. Else you will be forced to manipulate the DNS records on your other DNS server and inform it there is an AD on your server, and have the DHCP scope adjusted as well.

You could use Netherver as all-in-one. Set it up to be the AD server, Samba server and gateway for these clients. That way you have sepperated your ‘stuff’ from the rest of the network, and that generally keeps sysadmins happy Just put an extra NIC in there and use it as red link. Install Nethserver with your companies DNS server and do the rest as stated.

You will then have your own little island where everything behind the Nethserver is out of reach of the rest of the network, and depending on your setup, you can also restrict just about everything the other way.

@fausp, here is the process I used that (mostly!) seems to work:

Ubuntu w/auth and home directories on FreeNAS

There are a few tricks that I may be getting wrong. I had to modify the /etc/krb5.conf file differently:

/etc/krb5.conf:
(use tabs!)

[libdefaults]
    default_realm = MYDOMAIN.LAN
    rdns = no
    dns_lookup_kdc = true
    dns_lookup_realm = false


[realms]
    MYDOMAIN.LAN = {
        # port 88 is where Zentyal ran Kerberos, I think...
        kdc = 10.1.2.3.4:88
    }

[domain_realm]
     .mydomain.lan = MYDOMAIN.LAN
     mydomain.lan = MYDOMAIN.LAN

Mounting the home directories was handled by setting up /etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> 
<pam_mount>
    <debug enable="0" />
    <volume user="*" fstype="cifs" server="adserver.mydomain.lan" path="%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="sec=krb5i,cruid=%(USERUID),username=%(DOMAIN_USER)"/>
    <volume user="*" fstype="cifs" server="adserver.mydomain.lan" path="MyShare" mountpoint="/home/%(DOMAIN_USER)/MyShare" options="sec=krb5i,cruid=%(USERUID),username=%(DOMAIN_USER)"/>
    <umount>umount %(MNTPT)</umount>
    <mntoptions allow="nosuid,nodev,loop,encryption,**bleep**,nonempty,allow_root,allow_other" />
    <mntoptions require="nosuid,nodev" />
    <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
    <logout wait="0" hup="0" term="0" kill="0" />
    <mkmountpoint enable="1" remove="false" />
</pam_mount>

I set up sssd as in the link above.

Hi @fausp,

This creates the home directories on the local host, no? I want them mounted from the Neth server.

I had not thought of realmd… I will look into that. Thanks!

Hi @planet_jeroen,

I do not have dual NIC hardware. The server is an existing piece of hardware that we have. That said, I am leaning more and more toward doing what you said. The room where all the machines are is physically isolated from the rest of the network, so I could set up a dual NIC machine. I think there is a spare PCIe slot, so if I can find a NIC that will work… Food for thought.

The idea was to have a local homedir and a mountpoint for the serverhomedir.

The pam_mount automaticly mounts the nethserverhomedir to a folder in your local homedir (nethome), after logon…

Hmm… What I posted was working and it did not leave any empty home directories on the client systems.

Thanks for the tip about realmd. This looks much, much easier!

I will be going to get a USB/Ethernet adapter to add to the server as soon as stores open here (I’m on the Big Pond coast of the US so it is still morning here).

You are welcome ! - Have fun with NethServer …

Unfortunately, I am having problems getting it to work on an Ubuntu 16.04 client.

I have tried doing exactly what you wrote above.

kyle@homesrv2:~$ ssh admin@10.206.2.179
admin@10.206.2.179's password: 
Permission denied, please try again.
admin@10.206.2.179's password: 
Permission denied, please try again.
admin@10.206.2.179's password: 

kyle@homesrv2:~$ ssh administrator@10.206.2.179
administrator@10.206.2.179's password: 
Permission denied, please try again.
administrator@10.206.2.179's password: 
Permission denied, please try again.
administrator@10.206.2.179's password: 

kyle@homesrv2:~$ ssh testuser@10.206.2.179
testuser@10.206.2.179's password: 
Permission denied, please try again.
testuser@10.206.2.179's password: 

Modifying what you had, I was able to get closer. I was able to log into the client machine as any one of the above users, but the CIFS mount always fails. Note that depending on how I am trying to force the mount, the error is not always obvious. The pam_mkhomedir part is hiding the fact that the mount does not work. I get all the directories. When I go onto the NS and put something in one of those shared directories, I do not ever see that file on the client.

I also tried to do it on the command line (the domain is required otherwise I get a different error):

root@domiclient:~# mount -t cifs //domiserv.ad.domistyledesign.lan/testuser /mnt -ouser=testuser,domain=ad.domistyledesign.lan
Password for testuser@//domiserv.ad.domistyledesign.lan/testuser:  *********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

So, perhaps I have an incorrect configuration in my NS?

I set up three users, administrator, admin, and testuser. I am able to use Nautilus to log into the testuser “share” but it comes up as read-only. I do not have guest access enabled.

I tried a different approach as outlined here:

Ubuntu example

That also does not work. I get close. Auth works, the mount does not. I can usually tweak it to the point where I get a permissions error as above.

I am running the latest NS, version 7.4.

I have a Red network on a USB/Ethernet port with a dynamic IP assigned via DHCP. The Red network is 10.206.1.x with a router/gateway at 10.206.1.1.

I have a Green network on the motherboard Ethernet port and am running DHCP on that. The Green network is 10.206.2.x with the NS at 10.206.2.1 and the nsdc container at 10.206.2.2. I can ping both from any client on the Green network.

I can put client machines on the Green network and they can access the Internet, so all that is working.

I can auth against the NS.

I just cannot mount anything.

Is there a way to turn off the password checking in NS? It is extremely frustrating to be testing and have to constantly type complicated and long passwords. Half the time I cannot tell if I mistyped the password or have some other error.

Oops, forgot to mention, I am not finding anything about this permission error in the NS server logs. I looked with journalctl. Where else should I be looking?

And another thing I forgot. The Kerberos part is discoverable:

root@domiclient:~# host -t SRV  _kerberos._udp.ad.domistyledesign.lan 
_kerberos._udp.ad.domistyledesign.lan has SRV record 0 100 88 nsdc-domiserv.ad.domistyledesign.lan.

support@xubuntu:~$ smbtree
Enter support's password:

EXAMPLE
    \\NETH7                         NethServer 7.4.1708 Final (Samba 4.6.2)
            \\NETH7\IPC$            IPC Service (NethServer 7.4.1708 Final (Samba 4.6.2))
            \\NETH7\test            test
            \\NETH7\print$          Printer drivers


support@xubuntu:~$ mkdir testshare

support@xubuntu:~$ sudo mount -t cifs //neth7.example.org/test ~/testshare -ouser=admin@example.org

Password for admin@example.org@//neth7.example.org/test:  ************

support@xubuntu:~$ mount

...
//neth7.example.org/test on /home/support/testshare type cifs (rw,relatime,vers=1.0,cache=strict,username=admin@example.org,domain=,uid=0,noforceuid,gid=0,noforcegid,addr=<Server-IP>,unix,posixpaths,serverino,mapposix,acl,rsize=1048576,wsize=65536,echo_interval=60,actimeo=1,user=admin@example.org)

I will try that. I am rebuilding the server as a VM in Virtualbox. I have two networks, one for Red and one “internal” for Green. The NIC I bought and added appears to have died late last night so I am without hardware for this right now

I rebuilt the system from scratch. Shorter domain name

I found a NIC (PCIe is hard to find in stores now!) and added that. The USB NIC I had was flaky. During heavy use it caused a kernel panic and crash and corrupted the NS install.

So now starting over…

Here is what I get:

localadmin@domiclient:~$ smbtree -Uadministrator
Enter administrator's password: 
DOMISTYLE
	\\NETH           		NethServer 7.4.1708 Final (Samba 4.6.2)
		\\NETH\testshare      	Test Share
		\\NETH\IPC$           	IPC Service (NethServer 7.4.1708 Final (Samba 4.6.2))
		\\NETH\print$         	Printer drivers
localadmin@domiclient:~$ 

Much closer!

I am able to mount the test share as administrator.

I am able to log in remotely and locally (on the client)! However, I need to add the domain name:

ssh testuser@domistyle.ad@10.206.2.95

Is there a way to make that a default?

Thank you so much for the help! I am very close to getting what I want now.

One thing that seems a bit odd (but I think I read about it somewhere in one of the NS pages) is that the user’s home directory on the NS is not created until first login. Is that supposed to happen?

I have Mint 17 & 18 and Ubuntu latest connected fine and believe me I’m no expert! Windows machines were easy to connect except I haven’t bothered with automatically connecting to the user home directory and created those on the server logging into one of the linux boxes. The resource I found most useful was www.pedroliveira.pt/.../integrate-linux-mint-17-1-to-windows-server-2012-active-dir… and it covers setting up home directories. I essentially followed it exactly apart from a few details I plainly did not need for my situation.

A later post mentions initial login issues. The first two times I did the initial join I forgot somehow the ‘realm permit’ instruction which is essential. You will not get to log in at all without executing that. Permit has a number of options to tailor who is permitted; a quick Google with find what you can specify. ‘-all’ was fine for my particular situation.

Took me a while to figure out but it did work and it was really about finding the right resources to help and after that even for me with limited Linux knowledge it was fairly easy and straightforward. Downloading RSAT from microsoft to a Windows box is helpful but I suspect you would need a Pro or higher version for that. It helps confirm users and computers have been registered in the AD and so on.

Oh and my experience was Nethserver is the easy part. I never had to touch the Nethserver after the initial setup and I found that very straightforward.

Hope that is at least slightly useful. Good luck!

…no, it is essential, as any ‘advanced’ user configuration like setting display name, full name, first name, last name, email, location, phone, etc. needs to be done through it. SOGo (and likekely other LDAP enabled programs) use this info too, and you can not change it through the Nethserver Gui.

You need pro or enterprise for RSAT. You can very likely get a permanent evaluation version if you look a bit Drop it in a VM, run it in a KVM on the Nethserver if no dedicated hardware or other stuff is available, and perhaps even only when needed, and acces it through RDP or Spice if you install the virtio dirvers AND the Spice integration drivers.

Hi @rnneth, thanks for the link. I had seen some other pointers to using

   realm permit

BTW, the link you have above seems to have been truncated. I found the original blog post here:

Integrate Linux Mint 17.1 to Windows Server 2012 Active Directory Domain Controller

@planet_jeroen, no Windows Pro at all in the network I am working on. The few Windows machines are special purpose BYOD laptops and all run Windows Home. Part of the reason I am using Nethserver is to provide some slightly friendlier way of adding users via the Nethserver web UI.

Then your best bet would be to go less legal or try if this gets you there:

http://techgenix.com/free-tools-active-directory-administration/

Either that, or use commandlines … but that is hardly user-friendly for your average IT support technician.
You could probably get away with downloading an eval version and being funny with it … that way you can at least use ADUC and other RSAT tools. There are howto’s out there on how to reset the evaluation.

6 posts were split to a new topic: HOWTO for Neth 7 as AD PDC and file server with Ubuntu and Windows clients