Windows Domain Membership

English Network/Internet
1

Hello, guys!

I’ve been working on homologate openSUSE for our company.
As we use a Active Directory structure, I used the documentation from SLED and was perfectly able to join the DOMAIN using the WINDOWS DOMAIN MEMBERSHIP tool.

However, I want to use the “expert configuration” to auto mount windows directories in the local machine.

I entered in yast2>windows domain membership>expert settings>mount server directories

Do you guys have any how-to of using this?

I tried this configuration:
name server: 192.168.4.x (IP of server)
remote path: /sistema
local path: /mnt
options: user=%(DOMAIN_USER)

This is the last step to homologate SUSE for us. Do you guys have any kind of help to give me?

2

Let’s first ask a question;

  • Do you want the mount to be mounted when a user logs into the system
    or
  • Do you want the mount to be constantly available and automounted on system startup?

The problem with the first one is that pam_mount is incompatible with openSSH’s privilege separation and you have to disable that in order for that to work and I find it as a “poor solution”.

3

@Miuku

I want the mount to be mounted at the log in of the user. Thats because I need the permissions from the samba-ad to work with my linux workstations.

I have to disable the openSSH separation?

I thought that I just had to configure correctly the EXPERT SETTINGS, to do the auto mount.

4

Using AutoFS to mount the share ‘on demand’ might be a good fit here.

https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.autofs.html

5

I agree with Deano, autofs would be a better idea but it would require you to save your credentials locally in a file only the root can read.

In short you could do something like this;

  • install autofs package
  • edit /etc/auto.master and add before the +auto.master something like;
/mnt /etc/windows.mount --timeout=60

Then create /etc/windows.mount file with this in it:

mountname    -fstype=cifs,ro,domain=yourdomain.com,credentials=/etc/samba/my.creds ://your.windows.server/mount

mountname here refers to what it will create in /mnt/mountname

Then create /etc/samba/my.creds and make sure it only contains

username=usernametouseformount
password=userspasswordthatyouspecified

Make sure the file is root.root and 600

Start autofs; systemctl start autofs

It will then mount the windows mount whenever the user enters that directory via shell or a GUI program.

Note, this will only be useful in a system where the local user does not have root permissions and cannot read your password file. If that is the case, you need to look for alternatively solutions such as disabling privilege separation.

6

@miuku

Autofs did not solve my problem because I need the share to be mount, with the AD user permissions, but at a specifc path. My ERP need it to be mount, with the user permissions, to work properly.

Thats why I was trying to do this using WINDOWS DOMAIN MEMBERSHIP from SUSE to do this.

If the only way is to use fstab or autofs, those solutions are not integrated to AD, so its not worth to use it in our enviroment because we need this integration.

7

One thing I need to know before I draft you a quick how-to is whether you need this functionality when logging in through locally with a graphical user interface or via SSH?

And if you need it locally after logging via a login manager, do you use GNOME or KDE?

8

@miuku

Its in graphical settings.

I use XFCE for those

9

The following guide may be of some value here:
https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.ad.html

10

If you’re supporting more than just a couple Linux clients in an AD, you should consider installing an AD Linux extension like Centrify or Likewise Open.
Then, you should be able to configure your client machines centrally. using common AD objects like GPO.

TSU