Tutorial OMV 0.4 or 0.5 - howto join windows 2008R2 active directory

  • Hi,


    Actually I tried several month ago to create a local user and I had the same error. I totally forgotten this because i had to do something else. I thought this was a problem due to an upgrade on my OMV. If you encounteer the same error, I'm now thinking this is actually a bug.


    I just created a new debian (7) server some days ago and it joined my domaiin with the exact same method I use for OMV. I tried to create a local user and it just worked.


    I'll try to deploy a debian 6 and check the behavior of useradd. Stay tuned.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi WiiFriik


    I finally tested a vanilla debian squeeze as a member of my domain. I joined the domain by using the exact same method as I did for OMV, except it is not running OpenLDAP because it is already running on my OMV.


    The command adduser worked as expected and I could create a new user and from root switch to it.


    I think the bug ins introduced someway bo the OMV layer. If a developer takes care of it we may find a workaroud or a fix. This may be helpful to a possible future plugin.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi WiiFrik


    I think I found the issue. Please show the highest UID and highest GID of all users / groups on your OMV
    getent passwd
    getent group


    I'm investigating how to solve the issue. I think you'll have to lower UID_MAX and GID_MAX in /etc/logins.defs


    I'll confirm this after doing some tests.


    EDIT : the issue is solved. To solve it you will have to revert your changes in /etc/logins.defs (the default values should be sufficient for 50000 accounts, and let you have 8500 local accounts). Raising UID_MAX and GID_MAX is possible but I'm not sure about the highest value because it is not a power of 2 as I expected (and I did not find any official resource about this value).

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi


    First you need to backup the current names associated to UID and GID. If you created a few users and groups the easiest is to write it on a piece of paper.
    - logon on a linux or windows computer with any user which is not in the domain. Tell me if you choose linux or windows, to ease the next steps explanations.
    - use ssh or putty to logon in OMV as root (if needed, enable ssh root access in OMV's GUI)
    - do the following commands


    getent passwd -s winbind > /root/mapping-uid.txt
    getent group -s winbind > /root/mapping-gid.txt


    Use scp (linux CLI) or winscp (windows GUI) to copy these files out of your OMV on a computer, for an easy access.


    Once done, check you got all your users and groups in each of these files (you will find users and groups that are in the domain by default).


    Next, edit /etc/logins.defs, and roll back UID_MAX and GID_MAX to their original value which is both 60000. This will hide the domain users in OMV's GUI. In the OMV's GUI go to SMB/CIFS and in extra options change the two folliwing options (here with new values) :


    Code
    idmap uid = 9400-59999
    idmap gid = 9400-59999


    Any new UIG or GID mapping wil be now in theses ranges.


    Once done, we will do the tricky part : erase the winbind's mapping database and change the IDs in the filesystem. I'll explain after you confirmed the above steps, because it is better to do all the filesystem changes all at once.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi dethegeek,


    thanks for your explanation. I will do it tomorrow, I think.


    One question: When I finished the actions you explained in your last post, will I be able to access my files in my OMV? Or do I have to edit the ACL at first?
    Or depends this on the filesystem changes, which will follow in the next step?

  • Hi,


    Yes, all your files remain unchanged, and you will be able to use them the same way. You will notice the users and groups in your domain will no longer appear in OMV.


    We will try to do at once the critical part, so your files will be useable again quicly.


    The next step, in short will be to clear the idmapping cache in winbind, realloc a new id for each user and group of the domain, and update the ACLs in your filesystem. This would be very useful to tell me if you changed manually some ACLs in any folder (in a home directory or in any other folder).

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi.


    Sorry for my delayed answer. I have been very busy in the past with DIY activities in my home, so there has been no time for IT-systems. :(


    Last weekend I thought my system drive had died because I encountered some ext4-fs errors on my OMV system drive until it was no longer accessible, So I went to my local hardware dealer and bought a new hd. Unfortunately I had no backup for my OMV configuration, so I had to start the installation again from scratch. :o


    I followed your adapted tutorial and everything went fine. But there is one point I have to disagree with you: all of my domain users are showing up in OMV gui and I'm also able to add new users in OMV, so everything seems to be fine. I also corrected already the ACL of my files using the OMV gui and all files are accessible again.


    Actually there is only one problem: When logging in on my OMV with a domain user, the personal folde is not created, so I must do it manually, but I'm working on that issue. :?:


    So many thanks again for your great work. :D

  • Hi


    I did not bother about having only a subset of the domain users. When you open your mmc console to manage your users from Windows, you see all of them too :). If I find something to filter out the useless accounts, be sure I'll update the tutorial :).


    The home user is not created if you try to access it via SAMBA for the first time. You must open a session on OMV (with ssh for example). I don't know for now how to solve this.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi,
    but it also doesn*t work when logging in via SSH. The folder for the user is not created automatically, but I'm able to create the user-folder in the domian folder manually.
    So I think the access rights are set properly. In my first installation this worked fine and I actually have no idea what's the reason.


    I think, I will check the steps of your tutorial again ...

  • Hi


    Did you miss the step 2.10 ?? I think you missed something here (or did I break someting when I updated the tutorial last months ??)


    I'm lacking time to check it right now : I'm busy on an open source software, and preparing my first contact with open source hardware (this is also DIY).

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi,


    finally I've found the solution.


    I manually added the line "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" to /etc/pam.d/common-account and after that it worked when logging in with ssh and also using first login via samba.


    I don't know why this line was missing or what was the reason that it worked in my previous installation, but now everything seems to be fine.


    Best regards.

  • Hummm


    Just checked with a test user, with my setup untouched : you're right : it works with SMB ;)


    I found I certainly altered part 2.10 in the howto, comapred to the same I maintain on my own wiki. I"m supposing you created the 2 files in 2.10, but there is no longer the command pam-auth-update. Without this command, the mkhomedir settings are not applied. This is now fixed. Thank you, this helped me to point this out.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Yes, I created the two files and then nothing happened after logging in with a new user.
    Happy that I had the opportunity to give a hint after leeching so much competent input from you. :D


    Now everything is working as required. Maybe sometime there will be a solution for logging on to OMV when DC is down ... But this is not crucial. :)


    Thanks again for this great tutorial which is suitable also for a linux noob like me.

  • Hi


    If I remember well, I suggested (long ago) you change a setting in extra settings for SMB


    winbind offline logon = true


    Still from memory, you should enable it by turning it into true. Have a look on the documetnation for smb.conf from the project samba.


    You may find a useful documentation here : http://wiki.samba.org/index.php/PAM_Offline_Authentication.


    Let me know if this is works for you :)

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Zitat von "dethegeek"

    I want to share my work to the community. I wish that in a near future, OMV will be able to natively join a Active Directory domain thanks to a dedicated plugin.


    The following configuration has beed designed to host domain users home directories, and let users to access their home with both SSH and SMB/CIFS.


    Hi!
    thank you for this contribution.
    I want to share my experience too.

    • Code
      getent -s winbind group

      doesn't show anything. I am not sure why. I gets a couple of seconds to work but shows nothing. Meanwhile

      Code
      getent -s winbind passwd

      shows users allright. Any ideas?

    • Users: beware that everytime you add/change a SMB share, the OMV rewrites the options you added manually to smb.conf as per this guide. dethegeek, plz add the warning to the guide (the initial post). This is why users here complain that they see the login window rejecting user's credentials (found a few in this thread). The smbclient complains as
      Code
      NT_STATUS_LOGON_FAILURE


    Thanks again.
    BTW: I'm using Windows-2003 SP2 server 32-bit.

  • Hi


    Thank you for your help.


    1. If the getent command does not shows any group then you have an issue. You should check again the winbind configuration. I had this same issue in some cases but I did not found the exact way to solve it. I think this is probably due to a configuration error. If it has been fixed, this may need a reboot or something which cleans some cache somewhere.


    2. If this is possible, all custom settings you wish to put in smb.conf should be added in the extra options from the OMV's GUI. THis way, any change in OMV will not overwrite your own settings. They will be rewritten because OMV is aware of them. Can you try that ? Is there something which prevents you to create or edit a SMB share from OMV's GUI ?


    Are you using this configuration in a professional environment ? This is something interesting : OMV is a very young appliance, and any experience about using it in such an environment would be helpful to the developers.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Zitat von "dethegeek"


    1. If the getent command does not shows any groupe then youhave an issue.


    Indeed I have.
    Another symptom is: I can access a share from the 2003 AD and WinXP but cannot from Linux (Samba4) and some Win7 workstation.


    Zitat von "dethegeek"


    You should check again the winbind configuration. I had this same issue in some cases but I did not found the exact way to solve it. I think this is probably due to a configuration error. If it has been fixed, this may need a reboot or something which cleans some cache somewhere.


    Rebooted already.
    Any idea how to debug it? Maybe logs can help here?


    Zitat von "dethegeek"

    2. If this is possible, all custom settings you wish to put in smb.conf should be added in the extra options from the OMV's GUI. THis way, any change in OMV will not overwrite your own settings. They will be rewritten because OMV is aware of them. Can you try that ? Is there something which prevents you to create or edit a SMB share from OMV's GUI ?


    It works! I recommend to fix the guide.
    Thanks!


  • Allright. I seem have fixed this one. The problem was: WORKGROUP parameter was the same as REALM. But it should be "EXAMPLE" if REALM=EXAMPLE.COM.

  • Hi dethegeek,


    after quite a while it's me again with the simple question: "Will this tutorial work with Kralizec also?"
    As you know, I'm a real linux noob, so I'm waiting for your answer before upgrading to OMV 1.x.


    By the way: The problem with the offline logon to OMV is no longer a problem for me, because since a few months I'm running Windows Server 2012 on a Acer Aspire Easystore H340 an everything is fine now.


    Best regards,


    WiiFriik

  • Hi


    The tutorial is no longer valid with OMV 1.x because it runs a newer version of Samba (included in Debian 7).


    There are some changes in the syntax of /etc/samba/smb.conf, The content of this file is defined by OMV when an administrator tune SMB/CIFS settings.


    Less than 10 lines of text have to be updated to make this tutorial compatble with OMV 1.x. I'll update the tutorial and post it in a new topic. I need some days to find enough time.


    Rather than rebuilding your OMV from scratch, I already know an upgrade is sufficient. Consider this if you already have a working OMV 0.5. In a nutshell : follow the official upgrade procedure, and change some extra optins in SMB/CIFS, reboot and it should run fine !


    I'll let you know here when the new tuto is online.


    P.S. : sorry for the delay : probably due to the forum upgrade I did not receive norification about your post.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!