Skip to content

LTSP and Samba Windows NT Domain

Jump to bottom Edit New page
Dan MacDonald edited this page Dec 4, 2021 · 18 revisions

I succeeded to install a LTSP test setup using our Samba DC for user authentication. I will describe here what I did to achieve that. Please note that my configuration is a test setup using a rather quick and dirty approach.

Ubuntu 20.04 and later have the option to join an Active Directory domain at install time. This is using sssd-ad in the background. This guide does not cover using sssd-ad, which is what you'd want to use for using AD in production but it can be quite involved to configure. In most cases LTSP administrators would be recommended to use LDAPS via nslcd or sssd-ldap for authentication.

First you need a running LTSP server. When using the chrootless mode, you need to configure your server for user authentication using samba/winbind (you need that because the client is a clone of the server). When using a VM disk image you’ll need to configure your VM accordingly.

Then you need to use nfs to export the user homes (nfs -h1). I know, that it is insecure, but at this point I didn’t find another solution so far.

In the next step, you need to disable pamltsp completely by creating an empty /etc/ltsp/client/init/54-pam.sh and running ltsp initrd.

Now, we have to face the problem that each client needs to join the samba domain on boot. To achieve this, I created a systemd service unit in /etc/systemd/system/ which starts a short script on boot to join the domain.

The systemd service unit (join.service): 

[Unit]
Description=Join Domain
After=network-online.target winbind.service

[Service]
Type=simple
ExecStart=/usr/local/bin/join_domain.sh

[Install]
WantedBy=multi-user.target
Set proper permissions: chmod 755 /etc/systemd/system/join.service

Enable the unit:

systemctl enable join.service

This is the join_domain.sh script: 

#!/bin/sh
echo -n 'passwd' | net rpc join -U administrator
Set proper permissions, so that only root can read und execute: chmod 700 /usr/local/bin/join_domain.sh

This script contains the password of the domain administrator in clear, so this is a security issue. For a production environment I will have to find another solution, but at this point for testing purposes this works.

I will try to find a better and more secure solution to implement user authentication using samba.

Add a custom footer
Add a custom sidebar
Clone this wiki locally