How to setup SLED 10 users home directories on a Windows server

This document (3174947) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Desktop 10
Windows server with a share setup for each users home directory
Active Directory

Situation

Users are authenticating to the SUSE Linux Enterprise Desktop 10 (SLED 10) system through Active Directory. All users home directories exist on a Windows server. No home directories exist on the local SLED 10 system.

Resolution

The following instructions assume that you have already configured the Windows Domain Membership (YaST-->Network Services-->Windows Domain Membership) and are able to authenticate through Active Directory.

On the Windows server the home directory for the users must already be created and shared. The share name must match the users login ID.

In some cases it is required for the home directories to be a"hidden" share (the share name ends with a "$"). If this is the case then a few modifications to the following instructions will be required. See the "Hidden Shares" note below.

1. Install pam_mount

Open YaST-->Software-->Software Management. Search for"pam_mount" and verify it is installed (checked). If it is not, install it.

2. Configure /etc/security/pam_mount.conf

As the root user edit the file /etc/security/pam_mount.conf. Find the following line:

cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o"user=%(USER),uid=%(USERUID),gid=%(USERGID)%(before=\",\" OPTIONS)"

Remove the uid= and gid= entries so it looks like this:

cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o"user=%(USER)%(before=\",\" OPTIONS)"

At the end of the file add the following line:

volume * cifs & /home//& uid=&,dir_mode=0700,file_mode=0600,workgroup= - -

In the above line, can be the DNS name or IP address of the server with the users home directory shares.

*****
NOTE: For Hidden Shares
If the home directories are required to be hidden shares ("$" on the end of the share name) then the following change will need to be made to the volume entry:

volume * cifs &\$ /home//& uid=&,dir_mode=0700,file_mode=0600,workgroup= - -

The "\$" must be added to the parameter that identifies the share name. The "\" is the escape character which indicates to take the following character literally and not interpret it.
*****

In the paramter "/home//&" is the netbios name of your domain. It is possible to change the default home directory path to exclude the domain name by changing this entry to "/home/&" and also modifying the file /etc/samba/smb.conf and changing the following entry:

template homedir = /home/%D/%U

to

template homedir = /home/%U

If you choose to make this change you need to be aware that if the Windows Domain Membership in YaST under Network Services is run again it will change this setting back to the default which includes the %D (for domain).

Also, at the end of this line be sure to include the two dashes seperated by spaces " - -".

3. Configure /etc/pam.d/common-auth

As root edit the file /etc/pam.d/common-auth. The file will have the following entries:

auth required pam_env.so
auth required pam_unix2.so

Append "use_first_pass" after "pam_unix2.so".

Add a line just above the "pam_unix2.so" line with the entry "auth required pam_mount.so". The entries should now look like this:

auth required pam_env.so
auth required pam_mount.so
auth required pam_unix2.so use_first_pass

4. Configure /etc/pam.d/common-session

As root edit the file /etc/pam.d/common-session. The file will have the following entries:

session required pam_limits.so
session required pam_unix2.so

There may also be an entry for "session optional pam_mkhomedir.so". If it is there, remove it.

Add a line at the bottom with the entry "session optional pam_mount.so". The entries should now look like this:

session required pam_limits.so
session required pam_unix2.so
session optional pam_mount.so

5. Configure /etc/samba/smb.conf

As root edit the file /etc/samba/smb.conf. At the end of the"[global]" section add a line with the following entry:

winbind use default domain = yes

6. Restart and Test

The system can be rebooted or as root just run "rcwinbind restart" and then logout of the desktop and log back in as one of the Active Directory users.

Additional Information


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:3174947
  • Creation Date: 13-Sep-2007
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Desktop

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center