Tutorial OMV 0.4 or 0.5 - howto join windows 2008R2 active directory

    • Re: tutorial - howto join windows 2008R2 active directory

      Hi dethegeek,
      it's really great that you are thinking about my problem even though it is already some days (or weeks?) ago that I posted it.

      I cannot check anymore if usernames are identical in both fields you mentioned because I have already renamed the user "fafnir" some time ago, and I really don't remember if there was a difference between both fields in the user properties of AD. Maybe that in one of the fields the username was written with a capital "F" and in the other one not, but I don't know for sure, but if there was a difference, then it was a really small one like capital letters or not.

      I tried to access to the personal folder of the renamed user "fafnir" (which is now named "hans"), which has been newly created on OMV, and what should I tell you? It works. This evening I will try to rename the user back to "fafnir" and check the accessability of his personal folder (I will delete the old one at first).

      I will post it later. Thank's again for your persistance.
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi again,

      yetserday I renamed the user back to "fafnir" and tried again. After deleting the existing folder "fafnir" on OMV, I logged in with user "fafnir".

      The situation still remains the same, all shared folders on OMV are accessible for the user without entering the username and password, but when trying to open his personal folder "fafnir", the known window for entering the credentials in W7 pops up and that's it. Like before this user has no access to his personal folder, because the username and password is not accepted.

      The username is written in an identical manner in both relevant field in properties tab of AD.

      It's very strange.
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi WiiFriik

      I created on my DC a user with different SAMAccountName and UserPrincipalName:
      UserPrincipalName = testa
      SAMAccountName = testb



      I tried to login with this account on my windows 7 computer. I cannot login with testa, and I can login with testb. After being logged in, I can see, navigate and open files in the documents folder, located on OpenMediaVault. This shows that the login is the SAMAccountName, even when using a windows version younger than Windows 2000.

      In OMV I can see the home folder for testb, and using the command getent, OMV shows that the user is testb, and is not named testa. Therefore, this confirms that OMV (and SAMBA 3) uses SAMAccountName.

      getfacl on the home directory gives the following result :

      Source Code

      1. # file: .
      2. # owner: testb
      3. # group: utilisateurs\040du\040domaine
      4. user::rwx
      5. group::---
      6. other::---
      7. default:user::rwx
      8. default:group::---
      9. default:other::---


      I then renamed my test user into something completely different: renameduser. Both SAMAccountName and UserPrincipalName are now filled with this exact string.

      When I open a session on windows 7, I see that the user may open his documents on OMV. However I did not delete the testb folder on OMV. Therefore the documents remains in a share named testb (as I can see with a right click on Documents, properties on the start menu). In OMV a new home directory renameduser appeared but it is useless because the folder redirection redirects in testb.

      This behavior is due to the profile stored in windows 7. In the profile, the folder redirection for Documents points to the share named htestb, this setting is not sensitive when a user is renamed.

      I tried to login as renameduser (the new name for testb) with windows 7. I saw the desktop took a while to appear. A right click on Documents to check the redirection took a long time to show the contextual menu. In the properties, I saw that Documents is not redirected (there is only the public documents, the share on OMV is not in the list).

      I tried to open the share testb on OMV and windows complains there is a problem accessing this share. However I don't have any popup to enter my credentials.

      Opening the share renameduser works fine.

      I was expecting the credentials popup, but having an other behavior leads the share jam I created is not an exact reproduction of your problem. However, there is probably something to learn here.

      Do you remember how was set the SAMAccountName of your user when you logged in with this account for the first time ? Also I need to know the version of your windows ? (Windows XP may ask for credentials in the above scenario, and behave differently than windows 7.)
      Files
      • DC account.png

        (9.36 kB, downloaded 1,241 times, last: )
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi dethegeek,

      I'm using Windows 7 Ultimate and the user was always named fafnir (afaik), maybe in the beginning I wrote it "Fafnir", with a capital F. I don't know if the checking for the user name is case sensitive.
      I' do not really remember, bacause this is one of the "oldest" users.

      Why you are not asked to enter the crendentials I don't know, maybe this is due to the fact that you have redirected the home folders to OMV.
      I haven't done that until now, because at the moment I'm spending my limited timeframes to find a solution for the offline-logon problem.
      The W2k8 server is not running all the time (it's only a private network for my family and me and the machine must not run 24/7), and I need a solution to login on OMV even though the server is offline to access the private folders of the users on OMV. When I finally found a solution for that, I also will redirect the user folder to OMV (at the moment I'm using local folders for all users an all wokstations, notebooks, etc.), but this is the second step.

      By the way, you've posted a link for further lecture on the issue of "offline-logon":

      The following may be a good start cwiki.apache.org/DIRxINTEROP/co ... idmap.html


      but when trying to access this page, I receive the message that the page is not found.

      I found several tutorials and description about offlinr logon, but until now it is not working, but I'm trying further.

      In this context there is another strange thing: I have a mediaplayer, which also has access to the OMV samba shares for playing videos and music tracks. When the W2k8 server is down, I still can access the shares on OMV with this mediaplayer. Even if I make a restart of OMV and mediaplayer the access to the samba shares on OMV is working (server is down). I'm using an AD user for logging in with the mediaplayer and it works, even without server. When tryling to access the samba shares on OMV with a W7 client, the credentials window pops up. Networking is driving me crazy. :?
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi WiiFriik

      About the ability to logon when your DC is turned off, you may try this (I'm reading samba.org/samba/docs/man/manpages-3/smb.conf.5.html)

      In your OMV, add the following in Extra Options in the SAMBA service to enable caching for a 24 hours and enable offline logon

      Source Code

      1. winbind offline logon = true
      2. winbind cache time = 86400


      I don't have enough time for now to investigate more. I hope this will be sufficient to help you about offline logons.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: Tutorial - howto join windows 2008R2 active directory

      Hi

      I'm using ACLS without any issue.
      Can you give more details please ?

      Did you add your user from your Domain Controller ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: Tutorial - howto join windows 2008R2 active directory

      Did you add your user from your Domain Controller ?

      yes ... joined my domain, got krb-tickets, user-list, group-list ... everything looks ok ...

      btw ... DC is an 2008R2, client a WIN8PRO ...

      I can see the users in the ACL-Editor ... nowhere else ...
      In the user-list they're shown as "domain\user"
      After adding them to ACL, the users are shown as "domain\134user"

      what's the "134" !?!?
      looks like something went wrong while config ...

      btw ... is it normal, that I can't add local users to the system? Got an error while creating them ...
      running OMV 2.2.1
      with : SnapRAID - AUFS - TVheadend
    • Re: Tutorial - howto join windows 2008R2 active directory

      I guess you're editing ACL from tour Windows 8 pro. If I remember correctly I tried this but this does not work. You must edit ALC from the OMV's web interface. I did not work on this feature because it is useless for me.

      I am no longer using this howto for my setup because I got linux too. I wrote some weeks ago an other tutorial to add NFS support. I tried a few minutes ago to edit ACL from Windows 7 on a subfolder located in my home directory. This seems to be working : After saving my settings, closing and reopening the dialog, the new settings remains. I also checked in my filesystem getfacl show the entry I created. Nice !

      If you're interested have a look on the new tutorial : forums.openmediavault.org/viewtopic.php?f=3&t=2648

      It is working on OMV 0.5 (I did it on OMV 0.4 and upgraded a few days later)
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: Tutorial - howto join windows 2008R2 active directory

      I guess you're editing ACL from tour Windows 8 pro.

      nope ...
      everything's edited in OMV interface ...

      there's no connect possible to the folder ...
      by entering \\omv in explorer the password-dialog pops up ... and i can't login ...
      running OMV 2.2.1
      with : SnapRAID - AUFS - TVheadend
    • Re: Tutorial - howto join windows 2008R2 active directory

      Hi

      Is your windows 8 computer a domain member ?
      Do your OMV server is a domain member too ?

      You must their acounts in the user and computer management console.

      Can you also re-check the following commands :
      getent passwd
      getent group

      do these commands enumerate your AD users and groups ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: Tutorial - howto join windows 2008R2 active directory

      I can see the users in the ACL-Editor ... nowhere else ...
      In the user-list they're shown as "domain\user"
      After adding them to ACL, the users are shown as "domain\134user"

      what's the "134" !?!?
      looks like something went wrong while config ...


      I did not pay attention to the above detail. Did you rename the user while testing or configurng OMV ?

      try these commands :

      Source Code

      1. id -u <user>
      2. #returns the UID
      3. net cache list | grep <UID>
      4. net cache flush
      5. wbinfo -n <user>
      6. id -u <user>
      7. net cache list | grep <UID>


      If you have a IDMAP corruption, the SID and UID before and after net cache flush should be different.

      Check when you edit an ACL that your user's name does not change.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: Tutorial - howto join windows 2008R2 active directory

      Yes, very strange. I'm thinking about creating a troubleshooting section.

      On your previous installation, did you do any configuration before trying this one ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: Tutorial - howto join windows 2008R2 active directory

      On your previous installation, did you do any configuration before trying this one ?

      nope ... just installing OMV 0.5 on proxmox with one hd ...
      added once more and configured it as data-store ...
      then activated ssh and logged in via putty ...
      then apt-get update && apt-get upgrade ...

      then installed krb5-user krb5-clients libpam-krb5 winbind ...
      btw: on this way no question about the kerberos domain occured!

      but i found my fault!

      before following ur howto i've installed PBIS Open Edition to add the machine into the domain ...
      did this sometimes b4 ... -> download1.beyondtrust.com/Tech…s-Open-Edition/?Pass=True
      thought, last snapshot was before this install ! But it wasn't ;)
      so i ran into those errors ...

      now made all instruction straight forwarded on newly installed vm and everything works as expected ...
      running OMV 2.2.1
      with : SnapRAID - AUFS - TVheadend
    • Re: Tutorial - howto join windows 2008R2 active directory

      When you install the kerberos client the system detects the realm of your network if any. However sometimes the detection may fail when I was expecting this should succeed. I did no investigation about that because I was focused about my main objective. I did over 10 times the complete process to improve the howto and to be absolutely sure it will work flawlessly :)

      If you still have your snapshot, you may have a look at /etc/krb5.conf. I guess it has been changed. As PBIS is distributed as a package, it may change lots of things without your awareness.

      I'd like to tell me if you're using OMV since a long time inside a proxmox environment because I'm thinking about it this would great to get rid of these hardware routers (had 2 hardware failures this year and a try with OpenWRT as a VM works so fast !). Is your OMV running inside KVM or VZ ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: Tutorial - howto join windows 2008R2 active directory

      stopped working on proxmox because of slow data transfer rates between OMV (samba-share) and WIN8-client ...

      started omv on mini-itx-system with AsRock AMD E350M1 ...
      install from usb works fine ...
      after conifguring samba with a local user, i've transfer-rates about 100MB/sec ...
      after changing config to krb/winbind and joined domain, the transfer slowed down to ~ 30MB/sec ...

      tried from DC and, from domain-member-client and from non-domain-client ...
      something slows down lan speed ...

      found solution!

      looks like i've problems with the socket options!
      after commenting them out with ";" lan speed is back to 100MB/sec!

      Source Code

      1. ;socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

      tried againg with following options ...

      TCP_NODELAY -> 100MB/sec
      TCP_NODELAY IPTOS_LOWDELAY -> 100MB/sec
      TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 -> 30MB/sec
      TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 -> 30MB/sec
      TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072 -> 30MB/sec
      TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 -> 30MB/sec
      SO_RCVBUF=8192 SO_SNDBUF=8192 -> 30MB/sec
      SO_RCVBUF=131072 SO_SNDBUF=131072 -> 30MB/sec

      the send/receive buffers slow down my lan speed!
      don't know why ...

      helpful informations about samba-tuning -> eggplant.pro/blog/faster-samba-smb-cifs-share-performance/

      for me it's fixed now ;)

      i'll give proxmox a 2nd chance ;)
      running OMV 2.2.1
      with : SnapRAID - AUFS - TVheadend
    • Re: Tutorial - howto join windows 2008R2 active directory

      Hi

      Very interesting !

      I tried to change this setting but with my windows 7 I don't notice significant changes. I should try on long transfers rather than a few second (with an file > 1 GB). My download from OMV to my laptop is stable around 45 MB/s (bytes, not bits).

      The laptop is a core i7QM, and OMV still is a Core 2 Duo... A change may happen because I need to switch to Proxmox to replace my dead router. I'll give a try once this project done.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: Tutorial - howto join windows 2008R2 active directory

      Hi dethegeek,
      after a long period of time it's me again with another silly question:

      After integration of OMV into a windows domain, should it still be possible to create local users?
      Because when I try it, I always get a segmentation fault.

      Thanks in advance.