[olug] SMB automount user directories

Phil Brutsche phil at brutsche.us
Wed May 28 02:30:19 UTC 2003


A long time ago, in a galaxy far, far way, someone said...

> Situation:
> Logging into a linux desktop machine needs to auto mount the users network
> directory from an NT4 machine.  It needs to unmount the directory after
> logging out.

[snip pam-mount]

> Is it possible for a linux desktop to use the NT machine for logging in?

Yes.

> Does this require a change of configuration on the NT machine?

The NT machine needs to be an NT4 Domain Controller (or compatible with
one, such as Windows 2000 AD in mixed mode).  If there's no DC available,
it won't work.

Note that Samba 3 will lift the limit on the DC type, as it will be able
to talk to ActiveDirectory via Kerberos and LDAP.

> I'm not allowed to go into the server room any more because I'm a
> "security risk" and I want to run this through some testing before I
> push it into a production environment.  I can mount the shares on the NT
> machine right now without any problems.

If they consider you a "security risk" I'm afraid it may be outside the
scope of your access level on the NT4 side of things.

Specifically, you need Samba 2.2.x (I strongly recommend 2.2.8a), and the
winbind functionaliy in particular.  For winbind to work you need to join
the Linux machine into the domain (smbpasswd -j DOMAIN -r PDC), for which
you need administrator rights to the domain.

If you have domain administrative rights (or have the cooperation of
someone who does) you need to

1) put the appropriate magic in smb.conf
2) configure the glibc NSS functionality to use winbind via
/etc/nsswitch.conf
3) Configure any and all appropriate PAM-aware services to use pam_winbind
and pam_unix

When people log into Linux services with their domain identity - or even
log in in general, yes this works with KDE ;) - they *need* to log in as
DOMAIN\username, since that's what Linux will see.  The "\" is actually
configurable via smb.conf and defaults to "+", which makes some things
easier (such as trying to remember when you do and don't need to escape
the "\").  The NT-saavy may find the difference... confusing ;)

If you need domain access to work with PAM-unaware services (or
statically-linked executables), those programs won't be able to resolve
the file system UID/GID info to a user/group name, nor will they be
able to authenticate via the domain.

-- 

Phil Brutsche
phil at brutsche.us


More information about the OLUG mailing list