Ubuntu: auto mount DFS shares on login

This tutorial shows you how to automatically mount users' home directories on login in Ubuntu when the shares to mount are in a DFS namespace.

Before you proceed, make sure you have joined the Ubuntu workstation to Windows domain and configured WINS client by following this tutorial. DFS uses WINS by default so you need WINS feature installed in some server.

First you need to install the following packages:

sudo apt-get install libpam-mount cifs-utils keyutils

In /etc/security/pam_mount.conf.xml add a volume tag for each share you want to mount for users automatically:

<volume user="*" sgrp="residents" fstype="cifs" server="your.domain.com" 
    path="data/users/%(USER)/documents" mountpoint="~/Documents"
    options="uid=%(USER),gid=100,dir_mode=0700">
</volume>

The parameters above are:

• user: Limit the volume for specific users only. Wildcard (*) mounts the volume for all users, if no other filters are applied.
• sgrp: Limit the volume to users which are a member of the group identified by name. In my domain environment, all regular users are in a group called residents.
• fstype: The filesystem type. Use cifs here to mount NTFS shares.
• server and path: Here goes the full DFS path. If users' documents are in \\your.domain.com\Data\Users\%username%\Documents, put \\your.domain.com in server and data/users/%(USER)/documents in path. See the manpage link below to find a list of other variables.
• mountpoint: This is where the share is mounted.
• options: Here you can define some extra options. For example dir_more sets the permissions of mountpoint.

You can find more information about the config file in the manpage.

Edit or add the following line in /etc/pam.d/common-session:

session optional pam_mount.so

Edit or add tge following line in /etc/pam.d/common-auth:

auth optional pam_mount.so

Now when users log in, their documents have been automatically mounted in ~/Documents.

Join Ubuntu 14 to Active Directory

This summer I worked at my university, where I got a great change to get familiar with Linux. Naturally this got me thinking Could I deploy Ubuntu at home as well? This is how you join Ubuntu workstations to Active Directory and let users logon with their AD credentials.

First, let's install necessary packages (do not insert the line break):

apt-get install winbind samba libnss-winbind
  libpam-winbind krb5-config krb5-locales krb5-user

Windows 2000 and later uses Kerberos as its default authentication method. Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. (source: Wikipedia). Now open /etc/krb5.conf in your favorite text editor (for example sudo nano /etc/krb5.conf) to configure Kerberos settings. Append to [libdefaults] section:

       default_realm = YOUR.DOMAIN.COM
       ticket_lifetime = 24000
       default_tgs_enctypes = rc4-hmac des-cbc-md5
       default_tkt_enctypes = rc4-hmac des-cbc-md5
       permitted_enctypes = rc4-hmac des-cbc-md5
       dns_lookup_realm = true
       dns_lookup_kdc = true
       dns_fallback = yes

Append to [realms] section:

        YOUR.DOMAIN.COM = {
                kdc = your.domain.com:88
                default_domain = your.domain.com
        }

Append to [domain_realm] section:

        .your.domain.com = YOUR.DOMAIN.COM
        your.domain.com = YOUR.DOMAIN.COM

Append the following sections:

[appdefaults]

        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }

[logging]

        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

Try to get a ticket from AD administrator:

kinit Administrator@YOUR.DOMAIN.COM

Enter the admin password when prompted. Next, edit /etc/samba/smb.conf:

netbios name = COMPUTER_HOSTNAME
workgroup = YOUR
security = ADS
realm = YOUR.DOMAIN.COM
encrypt passwords = yes
idmap config *:backend = rid
idmap config *:range = 5000-100000
winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes
winbind refresh tickets = yes
client ntlmv2 auth = yes

template shell = /bin/bash

wins server = WINS_SERVER_IP
name resolve order = lmhosts host wins bcast

I have a DFS that uses WINS, so I add WINS server address here. You can omit that if you don't need WINS. Remove the default workgroup that you just replaced from the file.
Edit the following files in /etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind
hosts:          files wins mdns4_minimal [NOTFOUND=return] dns

Join the computer in domain:

net ads join -k

service winbind restart
service nmbd restart
service smbd restart

pam-auth-update

If you want that home directories are automatically created for new users, add the following file in the end of /etc/pam.d/common-account:

session required pam_mkhomedir.so skel=/etc/skel umask=0077

This gives users full access to their homes, but no access to anyone else. You also need to allow manual login for users to be able to login with their AD credentials. Add the following line in /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf:

greeter-show-manual-login=true

Now restart Ubuntu and try to login with any AD account.