I'm configuring a classroom based on Linux (just Linux, without Windows) with user mobility.
What I want is that any student will use its own 'username/password' on whatever computer getting its own data and without having to define every user on every computer.

As far as Samba is very useful, even when I don't need Windows support I decided to base the solution on Samba.

Right now I still have some problems and the solution doesn't work in my test environment.

Maybe I misunderstood some concepts and therefore I would like to get your help.

I defined a PDC (Samba 3.5 Domain Controller) on a Fedora 13 with 'homes', starting nmb and smb and it seems to work.

On a Ubuntu 10.10 Wokstation I built a Samba 'Domain Member Server' starting nmb, smb and winbind.

First question: should I define 'homes' on this server or not? I assumed 'not' as the 'homes' you have to use are the ones defined on the PDC, not on the DMS.

Second question: does winbind run just on DMS? Not on the PDC too?

I defined the DMS 'machine' and some domain users on the PDC and I could 'join' the DMS to the PDC without any problem (join rpc ...)

From the workstation I can us smbclient seeing a domain with two servers, one of which is the controller. I can connect to the home shares using the domain users wich are authorized by the PDC.

On the DMS I paid attention on nsswitch.conf and pam file running 'pam-auth-update'. So 'webinfo -u' provides a list of users on the domain, local users and domain users.

The problem arrives when I try to connect from the session login screen on the workstation to 'mydomain\myuser'.
PDC validates the user, if the password is right, and I get connected but not to my PDC homes.

Instead I get some errors starting with:
'could not update ICEAuthoriy file /home/mydomain/myuser/.ICEAuthority'
It seems I'm in an empty space in an open but useless session which I can close later on.

Did I forget something?
Thanks in advance for your help
Quique
........................................................................
Hereafter you will see the short smb.conf reported by testparm

PDC
[global]
workgroup = TESO-DOM
server string = Samba Server Version %v
interfaces = lo, wlan0
bind interfaces only = Yes
log level = 2
log file = /var/log/samba/log.%m
max log size = 50
add user script = /usr/sbin/useradd "%u" -n -g users
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
logon path =
domain logons = Yes
os level = 255
preferred master = Auto
domain master = Yes
dns proxy = No
wins support = Yes
hosts allow = 127., 192.168.1.
cups options = raw

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[netlogon]
path = /var/lib/samba/netlogon

[profiles]
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700

[homes]
read only = No
create mask = 0600
directory mask = 0700
browseable = No

DMS
[global]
workgroup = TESO-DOM
server string = Samba Server Version %v
interfaces = lo, wlan0, eth0
security = DOMAIN
log file = /var/log/samba/log.%m
max log size = 50
local master = No
dns proxy = No
wins server = 192.168.1.100
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind rpc only = Yes
hosts allow = 127., 192.168.1.
.............................................................

I don't have an answer to the questions you asked, but your description sounds like it might be a good fit for LDAP. There are how to documents available discussing how to authenticate users against an LDAP database instead of local accounts. I believe that the home directories are then stored on the Samba server and can be accessed from any of the locations.

Thanks for your answer.
In fact I'm using tdbsam as the passdb backend.
It doesn't appear on the testparm report but in the smb.conf there is 'passdb backend = tdbsam'.

I found some info about pdc with LDAP but I tried to build a simpler solution as I will work just with about 10 workstations.
By the way, I thought that LDAP and tdb play the same role. Am I wrong?
Regards

Well, after some googling and some more test the point is that my ubuntu DMS (Samba Domain Member Server) workstation doesn't mount the corresponding /home/dom-user which is on the PDC (built also on Samba).
The domain user is authorized by the PDC and I start a new session but without /home/dom-user, therefore getting a lot of errors. In such situation even I can open a console and doing commands as 'dom-user'.
How can I get my home mounted?
Is it a winbind responsibility? Something to do with 'logon home or path' parameters on smb?
Or is it a pam responsibility?
I have read something about pam_mount, so is this what I should configure?
Any help?

I'm still working on the matter and I made some progress.

Things are going better after having put on '/etc/pam.d/common-session' the line:

session required pam_mkhomedir.so skel=/etc/skel/ umask=0027

Now, on the Ubuntu workstation, I can log-in using a 'user-domain' (which is not at all defined on this workstation).

I can run whatever program on my workstation storing new files.

BUT ... I'm not using the '/home/user-domain' directory defined on the PDC. Instead of that, I'm using a new '/home/user-domain' which has been automatically made on the workstation.

So, my problem still is how to use the PDC [homes] as my home directory. Therefore I would find the same data using any workstation.

Regards

Hi again!

Really nobody knows, at least, if it is possible to use my [homes] on the PDC as my /home on the workstation?
And if it is possible where is the key point to get it?

Assumed that samba is working right on the PDC and on the Workstation and I already get access (I can mount/unmount it) to the [homes] share on the PDC.

Regards

Hi!
After looking at several forums and reading some documents I got some progress.

Besides the solution based on pam_mkhomedir, which works but doesn't provide what I was looking for, the new solution is based on pam_mount.

On the DMS (Ubuntu 10.04) I had to:

• install libpam-mount
• modify /etc/pam.d/common-session
• configure /etc/security/pam_mount.conf.xml

The result is:

• when you log the first time on the DMS the system builds your home folder and mounts the PDC-home on it
• when you log out the system tries to 'umount' the home but it gets a 'busy' error
  

The weak point is that at least in my case it works too slow. Hopefuly it may be improved.

Regards
Quique