Hi@all,
in relation to the contributions:
I have integrated Ubuntu 20.04 into Samba AD. Since not everything is running out-of-the-box, especially if you need dynamic CIFS.mount via pam_mount you have to intervene a little bit.
Since I spent several days with it here now (may also be due to my skills 
) I describe the procedure here. Maybe another user needs something similar.
It would be good if somebody who has more knowledge about the technique in detail says something about it here.
In the first step I installed Ubuntu 20.04 (Desktop) as a minimum selection. The computer has to be connected to the UCS before it gets an IP.
Add packages and set time
sudo apt install ntpdate git keyutils libpam-mount cifs-utils
sudo ntpdate master.mydomain.local
** ADS join **
git clone https://github.com/ABotelho23/UCS_domain_join
cd UCS_domain_join
sudo bash setup.sh
What is the Kerberos realm? (dom.example.com)? mydomain.local
What is the domain controllers short hostname ? ('dc' part of dc.dom.example.com)? master
What is the domain admin username? Administrator
Creating computer account on master.mydomain.local UCS server. Password for domain admin will be prompted.
Password:[Administrator-Password]
...
Add a domain user to local sudoers? Y/N: N
UCS Domain Join Complete! REBOOT NOW? [y/N] N
Note on sudors. Even if you select āyā here and specify a domain user to be added to sudors. Nothing happens! The specified user will not be added to the group. This has to be done manually later if you want to work with sudo. But since I always add a ārealā root, it does not matter to me.
If you donāt need PAM_MOUNT with CIFS you can restart now and login with your domain users and everything is fine.
If you want pam_mount to work correctly with CIFS, change in /etc/sssd/sssd.conf
# deactivate entry
#default_domain_suffix = gehr.local
# change line
use_fully_qualified_names = True -> use_fully_qualified_names = False
Because my home everywhere is /home/[username] I have changed the following line:
fallback_homedir = /home/%u@%d -> fallback_homedir = /home/%u
Iām not sure if this is necessary or what the implications are.
change in /etc/request-key.d/cifs.spnego.conf
create cifs.spnego * * /usr/sbin/cifs.upcall %k
->
create cifs.spnego * * /usr/sbin/cifs.upcall -t %k
The script for the AD join comes from here:
many thanks to the developers!
Now restart the computer and log on as domain user.
** PAM_MOUNT **
Dynamic mounting of the user home from the server with PAM_MOUNT & CIFS does not work with the environment created by the script! I have spent days trying to figure it out or I found the reason. But not how I change it.
With the CIFS mount in PAM_MOUNT.CONF.XML I can use the variables
%(USER)
%(DOMAIN_NAME)
%(DOMAIN_USER)
The variable %(USER) should actually contain the user name without ā¦@DOMAINā¦ . But it does not. With the following line in /etc/security/pam_mount.conf.xml
<volume fstype="cifs" server="master.mydomain.local" path="%(USER)" mountpoint="/home/%(USER)/" sec="krb5i" cruid="%(USERUID)" />
the system tries to mount the servershare:
\\master.mydomain.local\\myuser@mydomain.local
to local:
/home/myuser@mydomain.local
This share does not exist and must be without domain in the user.
\\master.mydomain.local\myuser
I havenāt found a way to change that behavior.
Someone with more knowledge is needed here.
The remaining shares can then be mounted using the entries in /etc/security/pam_mount
<volume fstype="cifs" pgrp="domain users" server="master.mydomain.local" path="Buchhaltung" mountpoint="/data01/Buchhaltung/" sec="krb5i" cruid="%(USERUID)" />
volume fstype="cifs" pgrp="domain users" server="master.mydomain.local" path="Downloads" mountpoint="/data01/Downloads/" sec="krb5i" cruid="%(USERUID)" />
maybe someone facing the same problem will help. It would be nice if the dynamic mounting of the user homes would still work but Iām satisfied like this.
with best
sven
