Mint active directory user shares Part 2

blackest_knight
  9 years ago
  -1

In part 1 i went through connecting to active directory using centrify.

now I am going to do a short tutorial on mounting user shares on the server to the linux client.

If you don't use centrify you can use likewise-open  and pretty much the set up is similar to centrify

sudo apt-get install likewise-open-gui

and use the activedirectory membership tool to join your domain.

with a domain ending in .local you will need to edit /etc/nsswitch.conf and change the line with mDns so dns comes first. You will probably pick up a few useful bits from partone even if you go with likewise-open

For mounting user folders you need to install  libpam-mount

sudo apt-get install libpam-mount

now you need to change this file

 sudo nano /etc/security/pam_mount.conf.xml

[code]

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
    See pam_mount.conf(5) for a description.
    
    This should go in /etc/security/
-->

<pam_mount>


 <!-- Volume definitions -->

<volume user="*" fstype="cifs" server="SRV" path="staff$/%(DOMAIN_USER)" mountpoint="~/Documents" />
<volume user="*" fstype="cifs" server="SRV" path="students$/%(DOMAIN_USER)" mountpoint="~/Documents" />
        <!-- pam_mount parameters: General tunables -->

<debug enable="0" />
<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />


        <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>

[/code]

this file has two example paths students$ and staff$ on active directory paul a student would have a home folder of student$/paul and peter a staffmember would have a homefolder of staff$/peter

whats kind of tidy about this is the current users credentials get used to authorise these shares

since a student is a student and staff is staff the staff member is only authorised by active directory to mount his  share on staff and not a student share, the student can only mount his share and not a staff share.

You can make this a lot more complicated making the mount conditional on certain memberships and mounting in different places  "~Documents" equates to \home\username\Documents and anything saved to documents by a user is saved over the network transparently.

Another feature is that if the mount point doesn't exist it will be created.

so pretty powerful stuff really.

Part 3 I will look at setting up a printer and billing

Comments
blackest_knight 9 years ago

I've tested pam_mount.conf.xml both with centrify and likewise-open
There is a small difference in group names
if the ad group is "all staff"
centrify will probably use "all_staff"
likewise-open will probably use "all^staff"
if folders are not mounted as expected then
pc>id username
should reveal the group memberships, not necessarily all of them unfortunately.

Which is better likewise-open or centrify?
It depends If you are installing on a laptop thats in and out of the domain likewise-open works well
it also has a bonus bug/feature if your local username and your aduser name are the same then if you login with your adpassword you get your network shares mounted if you use the localuser password you don't
you also share a single desktop that of the local user.

Centrify is probably best for systems that live in the domain all the time.
If a localuser and domainuser have the same account name both are locked out

I've also found that if you go outside of the domain then you may also get locked out at home too! Both of them seem to not fully list all the group memberships.

So for the main tasks you can use either centrify or likewise-open
you need samba and libpam_mount installed

If you setup the domains printers and customise pam_mount.conf.xml
you can use that system as an image to clone other pc's you just need to change the pc name the user can set the default printer or you can when rolling out the images.


blackest_knight 9 years ago

Due to the way this page handles left and right arrows I've had to use
something else or half the lines would be missing :(

so [=left arrow and ]=right arrow.

This is an example of a conditional mount of a volume

[volume

fstype="cifs"
server="SRV"
path="students$/%(DOMAIN_USER)"
mountpoint="~/Documents">
[not]
[user]excludeduser[/user]
[/not]
[and]
[sgrp]students[/sgrp]
[/and]
[/volume]


first you need to check group membership
e.g id astudent

this will give you some of the groups this user belongs to
in this case students is one of them.

So this volume will only get mounted if the user isn't called excludeduser and is a member of the students group. (A not B and C) = true to mount it.

If I happened to have a student called 'excludeduser' then he wouldnt be able to access his home folder even thou his account is a member of students.