How to setup SLED 10 users home directories on a Windows server
This document (3174947) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Desktop 10
Windows server with a share setup for each users home directory
Active Directory
Windows server with a share setup for each users home directory
Active Directory
Situation
Users are authenticating to the SUSE Linux Enterprise Desktop 10
(SLED 10) system through Active Directory. All users home
directories exist on a Windows server. No home directories
exist on the local SLED 10 system.
Resolution
The following instructions assume that you have already configured
the Windows Domain Membership (YaST-->Network
Services-->Windows Domain Membership) and are able to
authenticate through Active Directory.
On the Windows server the home directory for the users must already be created and shared. The share name must match the users login ID.
In some cases it is required for the home directories to be a"hidden" share (the share name ends with a "$"). If this is the case then a few modifications to the following instructions will be required. See the "Hidden Shares" note below.
1. Install pam_mount
Open YaST-->Software-->Software Management. Search for"pam_mount" and verify it is installed (checked). If it is not, install it.
2. Configure /etc/security/pam_mount.conf
As the root user edit the file /etc/security/pam_mount.conf. Find the following line:
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o"user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"
Remove the uid= and gid= entries so it looks like this:
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o"user=%(USER)%(before=\",\" OPTIONS)"
At the end of the file add the following line:
volume * cifs & /home//& uid=&,dir_mode=0700,file_mode=0600,workgroup= - -
In the above line, can be the DNS name or IP address of the server with the users home directory shares.
*****
NOTE: For Hidden Shares
If the home directories are required to be hidden shares ("$" on the end of the share name) then the following change will need to be made to the volume entry:
volume * cifs &\$ /home//& uid=&,dir_mode=0700,file_mode=0600,workgroup= - -
The "\$" must be added to the parameter that identifies the share name. The "\" is the escape character which indicates to take the following character literally and not interpret it.
*****
In the paramter "/home//&" is the netbios name of your domain. It is possible to change the default home directory path to exclude the domain name by changing this entry to "/home/&" and also modifying the file /etc/samba/smb.conf and changing the following entry:
template homedir = /home/%D/%U
to
template homedir = /home/%U
If you choose to make this change you need to be aware that if the Windows Domain Membership in YaST under Network Services is run again it will change this setting back to the default which includes the %D (for domain).
Also, at the end of this line be sure to include the two dashes seperated by spaces " - -".
3. Configure /etc/pam.d/common-auth
As root edit the file /etc/pam.d/common-auth. The file will have the following entries:
auth required pam_env.so
auth required pam_unix2.so
Append "use_first_pass" after "pam_unix2.so".
Add a line just above the "pam_unix2.so" line with the entry "auth required pam_mount.so". The entries should now look like this:
auth required pam_env.so
auth required pam_mount.so
auth required pam_unix2.so use_first_pass
4. Configure /etc/pam.d/common-session
As root edit the file /etc/pam.d/common-session. The file will have the following entries:
session required pam_limits.so
session required pam_unix2.so
There may also be an entry for "session optional pam_mkhomedir.so". If it is there, remove it.
Add a line at the bottom with the entry "session optional pam_mount.so". The entries should now look like this:
session required pam_limits.so
session required pam_unix2.so
session optional pam_mount.so
5. Configure /etc/samba/smb.conf
As root edit the file /etc/samba/smb.conf. At the end of the"[global]" section add a line with the following entry:
winbind use default domain = yes
6. Restart and Test
The system can be rebooted or as root just run "rcwinbind restart" and then logout of the desktop and log back in as one of the Active Directory users.
On the Windows server the home directory for the users must already be created and shared. The share name must match the users login ID.
In some cases it is required for the home directories to be a"hidden" share (the share name ends with a "$"). If this is the case then a few modifications to the following instructions will be required. See the "Hidden Shares" note below.
1. Install pam_mount
Open YaST-->Software-->Software Management. Search for"pam_mount" and verify it is installed (checked). If it is not, install it.
2. Configure /etc/security/pam_mount.conf
As the root user edit the file /etc/security/pam_mount.conf. Find the following line:
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o"user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"
Remove the uid= and gid= entries so it looks like this:
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o"user=%(USER)%(before=\",\" OPTIONS)"
At the end of the file add the following line:
volume * cifs & /home//& uid=&,dir_mode=0700,file_mode=0600,workgroup= - -
In the above line, can be the DNS name or IP address of the server with the users home directory shares.
*****
NOTE: For Hidden Shares
If the home directories are required to be hidden shares ("$" on the end of the share name) then the following change will need to be made to the volume entry:
volume * cifs &\$ /home//& uid=&,dir_mode=0700,file_mode=0600,workgroup= - -
The "\$" must be added to the parameter that identifies the share name. The "\" is the escape character which indicates to take the following character literally and not interpret it.
*****
In the paramter "/home//&" is the netbios name of your domain. It is possible to change the default home directory path to exclude the domain name by changing this entry to "/home/&" and also modifying the file /etc/samba/smb.conf and changing the following entry:
template homedir = /home/%D/%U
to
template homedir = /home/%U
If you choose to make this change you need to be aware that if the Windows Domain Membership in YaST under Network Services is run again it will change this setting back to the default which includes the %D (for domain).
Also, at the end of this line be sure to include the two dashes seperated by spaces " - -".
3. Configure /etc/pam.d/common-auth
As root edit the file /etc/pam.d/common-auth. The file will have the following entries:
auth required pam_env.so
auth required pam_unix2.so
Append "use_first_pass" after "pam_unix2.so".
Add a line just above the "pam_unix2.so" line with the entry "auth required pam_mount.so". The entries should now look like this:
auth required pam_env.so
auth required pam_mount.so
auth required pam_unix2.so use_first_pass
4. Configure /etc/pam.d/common-session
As root edit the file /etc/pam.d/common-session. The file will have the following entries:
session required pam_limits.so
session required pam_unix2.so
There may also be an entry for "session optional pam_mkhomedir.so". If it is there, remove it.
Add a line at the bottom with the entry "session optional pam_mount.so". The entries should now look like this:
session required pam_limits.so
session required pam_unix2.so
session optional pam_mount.so
5. Configure /etc/samba/smb.conf
As root edit the file /etc/samba/smb.conf. At the end of the"[global]" section add a line with the following entry:
winbind use default domain = yes
6. Restart and Test
The system can be rebooted or as root just run "rcwinbind restart" and then logout of the desktop and log back in as one of the Active Directory users.
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:3174947
- Creation Date: 13-Sep-2007
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Desktop
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
