Can't see users in the WebGUI - "communication failure"

    • OMV 2.x
    • Can't see users in the WebGUI - "communication failure"

      Hi all,

      After a work of almost a week on ldap plugin integration, I can get all the users that belong to my domain by typing "getent passwd" but the problem is that I get the following error when I'm trying to open "ACL" in "Shared folder" tab.
      Screenshot attached:


      My configuration is:

      /etc/samba/smb.conf

      Source Code

      1. #======================= Global Settings =======================
      2. [global]
      3. workgroup = MY
      4. server string = %h server
      5. dns proxy = no
      6. log level = 0
      7. syslog = 0
      8. log file = /var/log/samba/log.%m
      9. max log size = 1000
      10. syslog only = yes
      11. panic action = /usr/share/samba/panic-action %d
      12. encrypt passwords = true
      13. passdb backend = tdbsam
      14. obey pam restrictions = yes
      15. unix password sync = no
      16. passwd program = /usr/bin/passwd %u
      17. passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
      18. pam password change = yes
      19. socket options = TCP_NODELAY IPTOS_LOWDELAY
      20. guest account = nobody
      21. load printers = no
      22. disable spoolss = yes
      23. printing = bsd
      24. printcap name = /dev/null
      25. unix extensions = yes
      26. wide links = no
      27. create mask = 0777
      28. directory mask = 0777
      29. use sendfile = yes
      30. aio read size = 16384
      31. aio write size = 16384
      32. null passwords = no
      33. local master = yes
      34. time server = no
      35. wins support = no
      36. realm=MY.DOMAIN
      37. idmap uid = 16777216-33554431
      38. idmap gid = 16777216-33554431
      39. uid = 10000-20000
      40. gid = 10000-20000
      41. winbind cache time = 3600
      42. winbind enum users = yes
      43. winbind enum groups = yes
      44. winbind use default domain = yes
      45. winbind separator = +
      46. #======================= LDAP Settings =======================
      47. security = ads
      48. passdb backend = ldapsam:ldap://10.10.10.11:389
      49. ldap suffix = DC=my,DC=domain
      50. ldap admin dn = CN=adminuser,OU=Users,DC=my,DC=domain
      51. ldap user suffix = ou=Users
      52. ldap group suffix = ou=Groups
      53. ldap ssl = off
      54. ldap passwd sync = yes
      55. ldapsam:trusted = no
      56. #======================= Share Definitions =======================
      Display All


      /etc/krb5.conf

      Source Code

      1. [libdefaults]
      2. default_realm = MY.DOMAIN
      3. # The following krb5.conf variables are only for MIT Kerberos.
      4. krb4_config = /etc/krb.conf
      5. krb4_realms = /etc/krb.realms
      6. kdc_timesync = 1
      7. ccache_type = 4
      8. forwardable = true
      9. proxiable = true
      10. # The following encryption type specification will be used by MIT Kerberos
      11. # if uncommented. In general, the defaults in the MIT Kerberos code are
      12. # correct and overriding these specifications only serves to disable new
      13. # encryption types as they are added, creating interoperability problems.
      14. #
      15. # Thie only time when you might need to uncomment these lines and change
      16. # the enctypes is if you have local software that will break on ticket
      17. # caches containing ticket encryption types it doesn't know about (such as
      18. # old versions of Sun Java).
      19. # default_tgs_enctypes = des3-hmac-sha1
      20. # default_tkt_enctypes = des3-hmac-sha1
      21. # permitted_enctypes = des3-hmac-sha1
      22. # The following libdefaults parameters are only for Heimdal Kerberos.
      23. v4_instance_resolve = false
      24. v4_name_convert = {
      25. host = {
      26. rcmd = host
      27. ftp = ftp
      28. }
      29. plain = {
      30. something = something-else
      31. }
      32. }
      33. fcc-mit-ticketflags = true
      34. [realms]
      35. ATHENA.MIT.EDU = {
      36. kdc = kerberos.mit.edu:88
      37. kdc = kerberos-1.mit.edu:88
      38. kdc = kerberos-2.mit.edu:88
      39. admin_server = kerberos.mit.edu
      40. default_domain = mit.edu
      41. }
      42. MEDIA-LAB.MIT.EDU = {
      43. kdc = kerberos.media.mit.edu
      44. admin_server = kerberos.media.mit.edu
      45. }
      46. ZONE.MIT.EDU = {
      47. kdc = casio.mit.edu
      48. kdc = seiko.mit.edu
      49. admin_server = casio.mit.edu
      50. }
      51. MOOF.MIT.EDU = {
      52. kdc = three-headed-dogcow.mit.edu:88
      53. kdc = three-headed-dogcow-1.mit.edu:88
      54. admin_server = three-headed-dogcow.mit.edu
      55. }
      56. CSAIL.MIT.EDU = {
      57. kdc = kerberos-1.csail.mit.edu
      58. kdc = kerberos-2.csail.mit.edu
      59. admin_server = kerberos.csail.mit.edu
      60. default_domain = csail.mit.edu
      61. krb524_server = krb524.csail.mit.edu
      62. }
      63. IHTFP.ORG = {
      64. kdc = kerberos.ihtfp.org
      65. admin_server = kerberos.ihtfp.org
      66. }
      67. GNU.ORG = {
      68. kdc = kerberos.gnu.org
      69. kdc = kerberos-2.gnu.org
      70. kdc = kerberos-3.gnu.org
      71. admin_server = kerberos.gnu.org
      72. }
      73. 1TS.ORG = {
      74. kdc = kerberos.1ts.org
      75. admin_server = kerberos.1ts.org
      76. }
      77. GRATUITOUS.ORG = {
      78. kdc = kerberos.gratuitous.org
      79. admin_server = kerberos.gratuitous.org
      80. }
      81. DOOMCOM.ORG = {
      82. kdc = kerberos.doomcom.org
      83. admin_server = kerberos.doomcom.org
      84. }
      85. ANDREW.CMU.EDU = {
      86. kdc = kerberos.andrew.cmu.edu
      87. kdc = kerberos2.andrew.cmu.edu
      88. kdc = kerberos3.andrew.cmu.edu
      89. admin_server = kerberos.andrew.cmu.edu
      90. default_domain = andrew.cmu.edu
      91. }
      92. CS.CMU.EDU = {
      93. kdc = kerberos.cs.cmu.edu
      94. kdc = kerberos-2.srv.cs.cmu.edu
      95. admin_server = kerberos.cs.cmu.edu
      96. }
      97. DEMENTIA.ORG = {
      98. kdc = kerberos.dementix.org
      99. kdc = kerberos2.dementix.org
      100. admin_server = kerberos.dementix.org
      101. }
      102. stanford.edu = {
      103. kdc = krb5auth1.stanford.edu
      104. kdc = krb5auth2.stanford.edu
      105. kdc = krb5auth3.stanford.edu
      106. master_kdc = krb5auth1.stanford.edu
      107. admin_server = krb5-admin.stanford.edu
      108. default_domain = stanford.edu
      109. }
      110. UTORONTO.CA = {
      111. kdc = kerberos1.utoronto.ca
      112. kdc = kerberos2.utoronto.ca
      113. kdc = kerberos3.utoronto.ca
      114. admin_server = kerberos1.utoronto.ca
      115. default_domain = utoronto.ca
      116. }
      117. [domain_realm]
      118. .my.domain= MY.DOMAIN
      119. my.domain= MY.DOMAIN
      120. [login]
      121. krb4_convert = true
      122. krb4_get_tickets = false
      Display All


      /usr/share/openmediavault/mkconf/nsswitch

      Shell-Script

      1. #!/bin/sh
      2. #
      3. # This file is part of OpenMediaVault.
      4. #
      5. # @license http://www.gnu.org/licenses/gpl.html GPL Version 3
      6. # @author Volker Theile <volker.theile@openmediavault.org>
      7. # @copyright Copyright (c) 2009-2015 Volker Theile
      8. #
      9. # OpenMediaVault is free software: you can redistribute it and/or modify
      10. # it under the terms of the GNU General Public License as published by
      11. # the Free Software Foundation, either version 3 of the License, or
      12. # any later version.
      13. #
      14. # OpenMediaVault is distributed in the hope that it will be useful,
      15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
      16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
      17. # GNU General Public License for more details.
      18. #
      19. # You should have received a copy of the GNU General Public License
      20. # along with OpenMediaVault. If not, see <http://www.gnu.org/licenses/>.
      21. set -e
      22. . /etc/default/openmediavault
      23. . /usr/share/openmediavault/scripts/helper-functions
      24. OMV_NSSWITCH_CONFIG=${OMV_NSSWITCH_CONFIG:-"/etc/nsswitch.conf"}
      25. xmlstarlet sel -t \
      26. -i "//services/ldap/enable = '0'" \
      27. -o "passwd: compat" -n \
      28. -o "group: compat" -n \
      29. -o "shadow: compat" -n \
      30. -b \
      31. -i "//services/ldap/enable = '1'" \
      32. -o "passwd: files winbind ldap" -n \
      33. -o "group: files winbind ldap" -n \
      34. -o "shadow: files winbind ldap" -n \
      35. -b \
      36. -n \
      37. -o "hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4" -n \
      38. -o "networks: files" -n \
      39. -n \
      40. -o "protocols: db files" -n \
      41. -o "services: db files" -n \
      42. -o "ethers: db files" -n \
      43. -o "rpc: db files" -n \
      44. -n \
      45. -o "netgroup: nis" \
      46. ${OMV_CONFIG_FILE} | xmlstarlet unesc > ${OMV_NSSWITCH_CONFIG}
      Display All


      /etc/nsswitch.conf

      Source Code

      1. passwd: files winbind ldap
      2. group: files winbind ldap
      3. shadow: files winbind ldap
      4. hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
      5. networks: files
      6. protocols: db files
      7. services: db files
      8. ethers: db files
      9. rpc: db files
      10. netgroup: nis
      Display All


      As I said, when I'm typing "getent passwd" & "wbinfo -u" I'm able to get a list of users that belong to my domain, but when I'm trying to see those users in the WebGUI, I get the error I mentioned above.
      In addition, I added OMV_HTTPREQUEST_TIMEOUT=180000 to /etc/default/openmediavault and /etc/nginx/sites-available/openmediavault-webgui to fastcgi_read_timeout 120s; and /etc/nginx/sites-enabled/openmediavault-webgui to fastcgi_read_timeout 120s;

      Please help!!!
      Images
      • Untitled.png

        40.7 kB, 985×530, viewed 1,381 times
    • subzero79 wrote:

      How many users are in the LDAP server?


      more then 1000 users..
      I've made an addional change of increasing timeout in the nginx to 480s and currently I get the following error:


      I know that I have many users and maybe too much, but there is an option to change Base DN to specific OU? I already tried to change the Base DN in LDAP plugin to a small OU but the results didn't changed.
      Images
      • Untitled.png

        39.52 kB, 973×523, viewed 947 times
    • Hi

      LDAP being very verbose, maybe you may workaround by using an other backend in samba. I suggest you try RID (without using LDAP plugin). However the UID and GID of your users may change after this setup. I strongly advice you to create a clean instance of OpenMediaVault to test it.

      By the way I know nothing about the GUI internals of OMV. Can someone tell me how OMV works when it retrived users and groups from the LDAP plugin ?

      I also strongly believe this would make sens tu create a plugin for OMV dedicated to others methods of using SAMBA against a domain controller. But I do not have time to work on it myself. I'm way too busy.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

      The post was edited 2 times, last by dethegeek ().

    • dethegeek wrote:

      Hi

      LDAP being very verbose, maybe you may workaround by using an other backend in samba. I suggest you try RID (without using LDAP plugin). However the UID and GID of your users may change after this setup. I strongly advice you to create a clean…


      Hi Dethegeek,

      When you said "RID", do you mean to another method of authentication against LDAP?
      Do you have a guide for RID and LDAP integration?
    • Hi

      Yes. However there are no plugin for OpenMediaVault to make the task easier (as far as I know).

      The two other main backends are RID and AD
      RID generates UIDs and GID from SID in a predictable way. This ensure consistent UIDs and GIDs across domain members (if they all use RID backend and the same ranges).

      AD needs you store UDs and GIDs in your dicrectory. This the current backend for my persoonal domain and an other I just setup this week an other entity. I prefer this because I have full control over these UIDs and GIDs.

      You have to setup your default realm on krb5.conf ( I never had to edit other things on a single domain environment)

      You have to setup your work group in OMV

      You will have to use (and customize) the following in SAMBA extra settings in OMV.

      All your groups in your AD MUST have a GID or getent group will not work (pre-build groups included). OMV seems to be dependent of getent group to enumerate groups in its UI.

      Source Code

      1. password server = *
      2. realm = INTRA.YOURDOMAIN.COM
      3. security = ads
      4. allow trusted domains = yes
      5. idmap config *:backend = tdb
      6. idmap config *:range = 3000-4000
      7. idmap config INTRA:backend = ad
      8. idmap config INTRA:range = 10000-19999
      9. idmap config INTRA:schema_mode = rfc2307
      10. ; If enabled, template homedir and template shell are ignored. They are set from the AD
      11. ;winbind nss info = rfc2307
      12. winbind expand groups = 2
      13. winbind use default domain = true
      14. winbind offline logon = false
      15. winbind enum users = yes
      16. winbind enum groups = yes
      17. winbind separator = /
      18. winbind nested groups = yes
      19. ;winbind normalize names = yes
      20. winbind refresh tickets = yes
      21. winbind reconnect delay = 5
      22. ;template primary group = users
      23. template shell = /bin/bash
      24. template homedir = /media/users/%D/%U
      25. # Performance improvements
      26. socket options = TCP_NODELAY
      27. client ntlmv2 auth = yes
      28. client use spnego = yes
      Display All


      Try this snippet on a fresh OMV, and feel free to use it. Maybe this will help you to workaroud your timeout problem.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Hi again,

      As I recommended you to use RID backend, you should read the documentation here
      samba.org/samba/docs/man/manpages/idmap_rid.8.html

      As I did not tried this backend, I cannot give you a baked and working smb.conf . I think you will be able to build your setup from my AD backend config and the documentation : only a few lines changes are needed

      Please note also you have to join the domain with
      net ads join -UAdministrator
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups