Heterogeneous environment "roaming" profiles

Question

By "roaming profiles" I really mean "shared home directories".

So, I set up an AD pair, and shared a folder on \\ad-1\homes. Then set the AD user object to mount H:\ = \\ad-1\homes\%username%. This works fine on Windows (as you'd expect).

I also configured Folder Redirection on a GPO on the User's OU to point Documents at \\ad-1\homes\%username%\Documents and so on.

Everything works as you'd expect on Windows. Yay.

HOWEVER.

Linux is a different story. Using Winbind and Samba, I've joined the domain. No problem.

# wbinfo -u
PRODUCT\administrator
PRODUCT\guest
PRODUCT\krbtgt
PRODUCT\aa
PRODUCT\ab

I've edited the AD uidNumber and gidNumber so that I get this:

# wbinfo -i PRODUCT\\aa
PRODUCT\aa:*:10001:10000:aa:/home/PRODUCT/aa:/bin/bash

I naively thought, I'd be able to mount \\ad-1\homes onto /home/$DOMAIN and as the usernames are the same, i'd be able to use them as home directories.

Except because the cifs share is mounted at boot, as root, the permissions are dwrxr-x-r-x root root . all the way down the directory tree, so users can't write to them.

I've tried almost every combination of mount.cifs options, including the promising "multiuser", and found best results using sec=krb5i.

What I want is to be able to mount the \ad-1\homes directory, on top of /home/$DOMAIN, and have it look like

name  owner
aa/ DOMAIN\aa
ab/ DOMAIN\ab
administrator DOMAIN\administrator

and so on.

Does anyone know how this is achievable?

Windows 2008 R2, mounting on SLES 11 SP2.

Answer 1

We're doing this with our Active Directory domain joined (winbind) Debian boxes. We use pam_mkhomedir to create a home folder under /home/EXAMPLE/$USER for AD users at logon. Then pam_mount performs the mounting of the AD home directory. On Debian, we needed to install libpam-mount, pam_mkhomedir was installed by default

Once installed the following files are modified:

/etc/security/pam_mount.conf.xml:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
<debug enable="0" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,workgroup,nosetuids,noexec,nosuid" />
<mntoptions require="nosuid,nodev" />
<logout wait="0" hup="0" term="0" kill="0" />
<mkmountpoint enable="1" remove="true" />
<!--
  Replace "fs1.ad.example.com" with your Windows file server.
  We mount our AD user homes under /home/EXAMPLE, change this to suit your needs.
  Edit "workgroup=EXAMPLE" to use your domain/realm.
-->
<volume fstype="cifs" server="fs1.ad.example.com" path="home/%(USER)" mountpoint="/home/EXAMPLE/%(USER)" user="*" options="workgroup=EXAMPLE,uid=%(USER),dir_mode=0700,file_mode=0700,nosuid,nodev" />

/etc/pam.d/common-session:

# <snip>
# We use pam to create the AD user home drives
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session optional        pam_mount.so nullok try_first_pass

For example when I (FCSD\jscott) logon to a Linux box, my AD home folder \\staff\home\jscott is mounted as /home/FCSD/jscott.

Answer 2

I've never done what you're looking for, but I think the experimental CONFIG_CIFS_ACL if you want to do this with a single mount point. Otherwise, what @jscott is doing should work, albeit each user's home directory is a new mount point and ACLs within the home directory aren't going to work.