Tutorial OMV 0.4 or 0.5 - howto join windows 2008R2 active directory

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Tutorial OMV 0.4 or 0.5 - howto join windows 2008R2 active directory

      Hi

      I was using debian GNU/Linux to manage my files with RAID mirroring. I discovered OMV a few month ago and I replaced my debian distro. Migrating my RAID array was a piece of cake despite I'm not an expert about lots of thing about linux.

      I'm using both windows and linux at home and I wanted to manage all my computers having the best of both worlds. I decided to create a howto to make OMV a domain member.

      I want to share my work to the community. I wish that in a near future, OMV will be able to natively join a Active Directory domain thanks to a dedicated plugin.

      The following configuration has beed designed to host domain users home directories, and let users to access their home with both SSH and SMB/CIFS.

      Before posting today, I found some tips to make OMV a domain member here : bugtracker.openmediavault.org/view.php?id=487

      Feel free to tell me anything which may improve this howto.

      EDIT : new tutorial with NFS support here (OMV 0.4 or 0.5) : http://forums.openmediavault.org/viewtopic.php?f=3&t=2648

      EDIT : read the same tutorial for OMV 1.0 : Tutorial OMV 1.0 - how to join an Windows 2008 R2 domain

      1 - LAB description

      1 ESXi 5 host with some virtual machines :
      1 windows 2008 R2 ad domain controller
      1 OpenMediaVault 0.4.x
      1 windows 7 64 bits member of the 2008 R2 domain

      the domain controller has DNS and DHCP roles
      Openmediavault has 1 ethernet interface configured with DHCP

      1.1 - Settings
      Domain is : domain.local
      windows 2008R2 hostname : srv-dc-01
      omv hostname : omv

      1.2 - customizations or what you need to adapt to YOUR needs
      a way to synchronize time between your DC, your OMV server and your domain member computers
      the domain name (and therefore the workgroup)
      the directory containing homedirs (probably something line /media/30fcb748-ad1e-4228-af2f-951e8e7b56df/YOURWORKGRP)

      2 - On OpenMediaVault

      2.1 - Check IP configuration

      Openmediavault has a DHCP assigned IP address. You should check his hostname and name resolution

      Source Code

      1. omv:/# host domain.local
      2. domain.local has address 192.168.0.10
      3. omv:/# hostname -f
      4. omv.domain.local


      2.2 - Check time and NTP

      The LAB environment runs ESXi : time is synced on each VM boot and is sufficient for testing purpose. In production environment use VMware Tools and time sync agains the ESXi host or use NTP.

      2.3 - Install required packages

      omv:/# apt-get update; apt-get install krb5-user krb5-clients libpam-krb5 winbind

      you will asked for kerberos default domain : DOMAIN.LOCAL

      2.4 - Kerberos configuration

      Runs out of the box with default configuration. However you may edit /etc/krb5.conf as the following

      Source Code

      1. [libdefaults]
      2. default_realm = DOMAIN.LOCAL
      3. ticket_lifetime = 600
      4. dns_lookup_realm = yes
      5. dns_lookup_kdc = yes
      6. renew_lifetime = 7d
      7. ; allow_weak_crypto = true
      8. # The following krb5.conf variables are only for MIT Kerberos.
      9. ; krb4_config = /etc/krb.conf
      10. ; krb4_realms = /etc/krb.realms
      11. ; kdc_timesync = 1
      12. ; ccache_type = 4
      13. ; forwardable = true
      14. ; proxiable = true
      15. # The following encryption type specification will be used by MIT Kerberos
      16. # if uncommented. In general, the defaults in the MIT Kerberos code are
      17. # correct and overriding these specifications only serves to disable new
      18. # encryption types as they are added, creating interoperability problems.
      19. #
      20. # Thie only time when you might need to uncomment these lines and change
      21. # the enctypes is if you have local software that will break on ticket
      22. # caches containing ticket encryption types it doesn't know about (such as
      23. # old versions of Sun Java).
      24. # Pour Windows Server 2008 R2 (seems not required)
      25. ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      26. ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      27. ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      28. # Pour Windows Server 2003 (not tested agains windows 2003 server yet, and this server is deprecated)
      29. ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      30. ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      31. ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      32. [kdc]
      33. profile = /etc/krb5kdc/kdc.conf
      34. [logging]
      35. kdc = FILE:/var/log/krb5kdc.log
      36. admin_server = FILE:/var/log/kadmin.log
      37. default = FILE:/var/log/krb5lib.log
      Display All



      2.5 - Test kerberos settings

      Source Code

      1. omv:/# kinit -V administrator (at) DOMAIN.LOCAL

      Give administrator password

      test you got a ticket :

      Source Code

      1. omv:/# klist
      2. Ticket cache: FILE:/tmp/krb5cc_0
      3. Default principal: administrator (at) DOMAIN.LOCAL
      4. Valid starting Expires Service principal
      5. 01/28/13 13:28:58 01/28/13 13:38:58 krbtgt/DOMAIN.LOCAL (at) DOMAIN.LOCAL


      destroy all tickets (and check with klist)

      Source Code

      1. omv:/# kdestroy


      2.6 - SAMBA settings

      In OMV webGUI :

      enable SAMBA
      set Workgroup : DOMAIN
      tick "Enable user home directories". You may also tick "Set browseable".
      add extra options :

      Source Code

      1. password server = *
      2. realm = DOMAIN.LOCAL
      3. security = ads
      4. allow trusted domains = yes
      5. idmap uid = 9400-59999
      6. idmap gid = 9400-59999
      7. winbind use default domain = true
      8. winbind offline logon = false
      9. winbind enum users = yes
      10. winbind enum groups = yes
      11. winbind separator = /
      12. winbind nested groups = yes
      13. ;winbind normalize names = yes # needs to be disabled
      14. winbind refresh tickets = yes
      15. ;template primary group = users # seems deprecated ?
      16. template shell = /bin/bash
      17. template homedir = /home/%D/%U
      18. client ntlmv2 auth = yes
      19. client use spnego = yes
      20. # Performance improvements
      21. socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      Display All


      :!: Read this post if you're under windows 8 to try a performance enhancement : forums.openmediavault.org/view…f=3&t=1493&p=24413#p24366

      Test samba configuration

      Source Code

      1. omv:/# testparm


      Disable winbind cache

      edit /etc/default/winbind and uncomment the following

      Source Code

      1. #WINBINDD_OPTS = "-n"

      restart samba and winbind

      Source Code

      1. service samba stop
      2. service winbind restart
      3. service samba start


      :!: This step is not required
      If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX as the following

      Source Code

      1. UID_MAX 60000
      2. GID_MAX 60000

      Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group .


      2.7 - Join the domain

      Argument createcomputer allows you to create the computer's account in an organisational unit (OU) and is not required.

      Source Code

      1. omv:/# net ads join -U administrator createcomputer=servers/linux
      2. Enter administrator's password:
      3. Using short domain name -- DOMAIN
      4. Joined 'OMV' to realm 'domain.local'


      2.8 - enable authentication with winbind

      edit /etc/nsswitch.conf

      Source Code

      1. passwd: compat winbind
      2. shadow: compat
      3. group: compat winbind


      Source Code

      1. omv:/# ldconfig


      2.9 - check users and groups enumeration

      Source Code

      1. omv:/# getent passwd

      (you get local and AD users lists)

      Source Code

      1. omv:/# getent group

      (you get local and AD groups lists)

      2.10 - Enable mkhomedir and umask

      create the file /usr/share/pam-configs/my_mkhomedir with the following content


      Source Code

      1. Name: Activate mkhomedir
      2. Default: yes
      3. Priority: 900
      4. Session-Type: Additional
      5. Session:
      6. required pam_mkhomedir.so umask=0077 skel=/etc/skel



      umask argument for mkhomedir didn't worked for me. pam_umask.so seems be a better option. Create the file /usr/share/pam-configs/umask with the following

      Source Code

      1. Name: Activate umask
      2. Default: yes
      3. Priority: 800
      4. Session-Type: Additional
      5. Session:
      6. optional pam_umask.so umask=0077


      Run the command pam-auth-update, enable Activate mkhomedir and Activate umask. The items Kerberos authentication, Unix authentication and Winbind NT/Active Directory authentication should be already enabled.

      2.11 - Fix domain folder permission

      In SMB/CIFS, extra confguration the special variable %D is used to distinguish domain users from OMV's local users. A folder will becreated upon first domain user connexion. However the folder will not allow domain users to traverse the folder and access their home directory. This need a fix. Create the folder where template homedir expects to find it, and adjust the owners and permissions. If your active directory contains a white space, ensure to escape it with a backslash.

      Source Code

      1. mkdir /home/DOMAIN
      2. chmod 0755 /home/DOMAIN
      3. chown root:domain\ users DOMAIN


      2.12 - SSH login for AD users

      In OMV webGUI enable SSH, disable root login (prefer su and sudo) and add this in Extra Options :

      Source Code

      1. AllowGroups root ssh "domain users"


      Please check "domain users is enclosed by double quotes and check this is the group name available in windows 2008 R2 (I'm french and I'm using a french windows 2008R2 : groups and users names are localized)

      3 - Login against SMB or SSH

      don't prefix username with domain. (eg: not DOMAIN.LOCAL/administrator; use administrator only)
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

      The post was edited 29 times, last by dethegeek ().

    • Re: tutorial - howto join windows 2008R2 active directory

      Updates
      05/12/2014 : Fix 2.10 - mkhomedir. I probably mistakenly deleted the end of this step, the missing part made it inefficient. (Thank you WiiFriik)
      03/23/2014 : Lowered idmapping from 16777443-33554431 to 9400-59999 due to a bug in Squeeze (see forums.openmediavault.org/view…=3&t=1493&start=50#p30776)
      05/16/2013 : added instructions to enable home directories; added fix to feature ID MANTIS 0000487 (duplicate MANTIS 0000766)
      05/21/2013 : added 1.2 section : what to change to your needs (may require detailed instructions about homedirs path)
      07/14/2013 : work in progress : change the deprecated options idmap uid and idmap gid into idmap config * .
      08/11/2013 : added missing step 2.11 about fixing folder permissions when %D is used in template homedir

      Known issues
      an AD group name containing a whitespace is interpreted as multiple group names when enumerating users in OMV webinterface. (in Access Rights Management, users). No related bug found.
      This setup needs a running DC to authenticate users : winbind has no cache and no offline authentication

      Limitations
      This setup does not handle logons when the domain controller is offline.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

      The post was edited 12 times, last by dethegeek ().

    • Re: tutorial - howto join windows 2008R2 active directory

      (reserved)
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: tutorial - howto join windows 2008R2 active directory

      Hello dethegeek,

      first of all let me thank you for the tutorial. I'm a total noob regarding linux and with your help I was able to follow until the last step.
      Everything seems to be fine (for me :oops: ), but now there is a problem with the user authentication for samba shares.
      I have one folder which is available for all users (although the user rights are set to oly one user), all other shares are not available. When connecting in Windows 7, I get the message "access denied".

      By the way, how is it possible for me to set user privileges for samba for example for domain-users?

      I followed all the steps in your tutorial and so far no problem occured, the user list from actice directory seem to be present.
      As I already told you, I'm not familiar with linux, so I need a little bit of help what to check to find any fault.

      Many thanks in advance.

      P.S.: I forgot to mention that SSH access seems to works fine. All users can login with their ad-user and password.
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi

      When you create a SAMBA share you must set/check the ACLs on the shared folder.
      * Login in your OMV web interface
      * Navigate through Access Right Management, Shared folders, create your share, or edit an already created share.
      * Click on the ACL button
      * In Users/Groups permissions, find all users and/or groups allowed to use your share. You may choose a read only or read/write access. Don't care about the "no access" column : it is useful on complicated setups with lots of users and groups.
      * Tick "Replace all existing permissions" (will overwrite your previous settings) and "Apply permissions to files and subfolders" (copy the ACL on each subfolder)
      These ACLs are written into the filesystem.
      * in "Extra options" you should have "owner : root read/write" "group : root read/write" "others : no access"
      * click "Apply". This may need a long time, depending on the quantity of files and folders.
      * Click on the Privileges button, and ensure anything is unchecked (AD users and AD groups are not listed here)

      Now check the settings in Services, SMB/CIFS, click on the tab "Shares"
      Select your SAMBA share (or create it)
      Public : "no"
      Read Only : mostly "no", is you want do disable writes on all users and groups, then set it to yes
      Browseable : mostly "yes"

      Remember that a user allowed to access a share needs to be allowed by both SAMBA and the filesystem. My personal choice is to allow any access in SAMBA (that's why i don't tick anything in "privileges"), but I restrict access on the filesystem's ACL.

      Don't forget to test your settings by checking some allowed users and denied users too.

      Let me know if you are able to make your server work as expected.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi. Thanks for your quick reply. The problem was my limited knowledge about the world of operating systems. :oops:
      I was using Windows all the time (and Dos of course), so I didn't think about the impotance of using the correct file system.
      I fitted some harddisks into my nas (each of them formatted in ntfs) and was wondering why the permissions are not set in
      the correct way (ACL was not available).
      Now I tried again with an ext4-drive, and what should I say, it works as ist should.All domain-users are present when
      using ACL to grant permissions. It is no god idea to use btfs when working with linux.

      Than you again and if there are further problems I will contact you.
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi,

      Great ! I hope you will enjoy your NAS : OMV is a very promising NAS/SAN solution.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: tutorial - howto join windows 2008R2 active directory

      dethegeek, I have an additional question concerning the user authentication.
      Is there a way to grant access for the active directory users to the nas folders even in times the server is not running?
      I'm running a small home network with a w2k8 server, but the machine should not always be running to save energy.
      My nas is switched on 24/7, but I encounter the situation that the acces to the shared folders is not possible due to missing user verification.
      When trying to acces a shared folder in W7 and the server is down, I'm alwyas prompted to enter username and password, but the login fails.
      If the server is online, everything is fine.

      Is there a way to solve this problem, or do I make any kind of mistake? Then I think it will be also possible to create user folders which are always accessible
      indepent from server online or not.

      Thanks for your answer in advance.
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi Gehaktbal

      I have user dirs hosted in my OMV server. I'm using GPOs to redirect the My Documents folder from computers to the OMV server. This is working fine since I've posted this howto.

      To do this in OMV backend, go to SMB/CIFS in the left panel, and tick "Enable user home directories". You may also tick "Set browseable". I should update the howto with these parameters.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: tutorial - howto join windows 2008R2 active directory

      "WiiFriik" wrote:


      Is there a way to grant access for the active directory users to the nas folders even in times the server is not running?


      Your setup is running as expected. This is a limitation of my howto because this setup needs your domain controller to authenticate users. If you want to turn off your DC you may use an other setup based on winbind and openLDAP. I may try this setup in the future. If I'm right (because i did not investigate yet) openLDAP is used to replicate AD users and groups. Winbind uses openLDAP to authenticate users.

      The following may be a good start cwiki.apache.org/DIRxINTEROP/c…backed-winbind-idmap.html

      I may try that in a few weeks, and produce an other howto if it works.

      I hope someone will develop a plugin soom for both setups.

      If your computer is not too old (64 bits CPU with virtualization support and a well choosen hardware) you may use VMware ESXi to run OMV and yout AD controller on the same computer. This is actually the setup I have. Here are the details :
      a chenbro es34169 case (4 hotswappable SATA HDD )
      a Jeyway NF93R-LF mainboard
      a Core 2 Duo mobile (from my dead Asus ROG G1S laptop) @ 2.2 GHz
      4 GB RAM
      4 HDD : 1 for my virtual machines, and 3 dedicated to OMV
      A 1 GB USB stick to run ESXi with an internal USB port
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: tutorial - howto join windows 2008R2 active directory

      Does getent group work as expected ? You shall see all AD groups. If you see them, you may have missed winbind enum users = yes in SAMBA extra options

      getent passwd and getent groups depends on the following options in samba configuration

      Source Code

      1. winbind enum users = yes
      2. winbind enum groups = yes


      check these lines are not missing in SMB/CIFS extra options.

      Also check part 2.8 about the file nsswitch.conf

      Are you able to login with an AD user in a non public SAMBA share ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: tutorial - howto join windows 2008R2 active directory

      "dethegeek" wrote:

      Does getent group work as expected ? You shall see all AD groups. If you see them, you may have missed winbind enum users = yes in SAMBA extra options


      getent group displays:
      root@omv:~# getent group
      root:x:0:
      daemon:x:1:
      bin:x:2:
      sys:x:3:
      adm:x:4:
      tty:x:5:
      disk:x:6:
      lp:x:7:
      mail:x:8:
      news:x:9:
      uucp:x:10:
      man:x:12:
      proxy:x:13:
      kmem:x:15:
      dialout:x:20:
      fax:x:21:
      voice:x:22:
      cdrom:x:24:
      floppy:x:25:
      tape:x:26:
      sudo:x:27:openmediavault
      audio:x:29:
      dip:x:30:
      www-data:x:33:
      backup:x:34:
      operator:x:37:
      list:x:38:
      irc:x:39:
      src:x:40:
      gnats:x:41:
      shadow:x:42:openmediavault
      utmp:x:43:
      video:x:44:
      sasl:x:45:
      plugdev:x:46:
      staff:x:50:
      games:x:60:
      users:x:100:debian-transmission
      nogroup:x:65534:
      libuuid:x:101:
      crontab:x:102:
      ntp:x:103:
      ssl-cert:x:104:
      postfix:x:105:
      postdrop:x:106:
      ssh:x:107:
      messagebus:x:108:
      avahi:x:109:
      netdev:x:110:
      tftp:x:111:
      snmp:x:112:
      sambashare:x:113:
      openmediavault:x:999:
      mysql:x:114:
      debian-transmission:x:115:
      winbindd_priv:x:116:

      "dethegeek" wrote:


      getent passwd and getent groups depends on the following options in samba configuration

      Source Code

      1. winbind enum users = yes
      2. winbind enum groups = yes


      check these lines are not missing in SMB/CIFS extra options.


      Those lines are there:
      password server = *
      realm = EMCEKA.LOCAL
      security = ads
      allow trusted domains = yes
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      winbind use default domain = true
      winbind offline logon = false
      winbind enum users = yes
      winbind enum groups = yes
      winbind separator = /
      winbind nested groups = yes
      ;winbind normalize names = yes # needs to be disabled
      winbind refresh tickets = yes
      ;template primary group = users # seems deprecated ?
      template shell = /bin/bash
      template homedir = /home/%D/%U
      socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      client ntlmv2 auth = yes
      client use spnego = yes

      "dethegeek" wrote:


      Also check part 2.8 about the file nsswitch.conf


      # /etc/nsswitch.conf
      #
      # Example configuration of GNU Name Service Switch functionality.
      # If you have the `glibc-doc-reference' and `info' packages installed, try:
      # `info libc "Name Service Switch"' for information about this file.

      passwd: compat winbind
      group: compat winbind
      shadow: compat

      hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
      networks: files

      protocols: db files
      services: db files
      ethers: db files
      rpc: db files

      netgroup: nis

      "dethegeek" wrote:


      Are you able to login with an AD user in a non public SAMBA share ?


      Couldn't test this yet as it won't show me the AD users yet.
    • Re: tutorial - howto join windows 2008R2 active directory

      @Gehaktbal

      Ok, almost everything seems correct except the two following lines in samba extra options.

      Source Code

      1. idmap uid = 10000-20000
      2. idmap gid = 10000-20000

      Can you give a try with the values provided in the tutorial ?

      can you try these commands (your OMV must be a member of your domain) and give the result ?

      #will list your AD users
      wbinfo -u

      #will list your AD groups
      wbinfo -g

      Did you follow the tutorial from a fresh OMV installation or did you some advanced tweaks before trying to join your domain ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Re: tutorial - howto join windows 2008R2 active directory

      It was indeed a fresh OMV installation, changing the ids made it work.

      Next up is creating a H: drive for the users. Is there anyway to automaticly set the right permissions on a their home folder?

      Thanks for your time and helping me out with the small details ;)
    • Re: tutorial - howto join windows 2008R2 active directory

      i'm not available this week end. i'll try to answer you as soon as possible.

      shortly you have to use the web interface to set a users home directory. when users login, their folder will be created with the right acl.

      EDIT : corrected lots of typos (damned, my natural language is not english, neither my smartphone's one...)
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

      The post was edited 1 time, last by dethegeek ().

    • Re: tutorial - howto join windows 2008R2 active directory

      Hi dethegeek,
      thanks alot so far. I will read the information given in the link you gave me and perhabs try a little bit, but my time is limited right now.
      Waiting patiently for your answer, when you will have tried this configuration. I'm in no hurry.
    • Re: tutorial - howto join windows 2008R2 active directory

      Hi Gehaktbal

      Sorry for the delay.

      The tutorial shows you how to configure mkhomedir. It helps you to create automagically the a user's home dir on his first logon. The folder is created with the right permissions to make it private.

      I updated the toturial to share home directories.

      In OMV's web interface, go to "Access Rights Managements" > "Users"
      Open the "Parameters" tab
      Enable user's homedir and choose/create a folder for your users. The path MUST be the same as template homedir in SMB extra configuration.

      In the tutorial I set
      template homedir = /home/%D/%U

      Therefore the user's homedirs are stored in /home/DOMAIN (because in the tutorial %D = DOMAIN which is the workgroup configured in SAMBA).

      In your configuration, /home is probably in the partition containing OMV and you probably don't want to do that in production. Change /home into /media/{some-UUID}/{YOUR_WORKGROUP}.

      The UUID is a unique identifier associated to each volume you created. If you got a volume with UUID=30fcb748-ad1e-4228-af2f-951e8e7b56df then it is mounted in /media/30fcb748-ad1e-4228-af2f-951e8e7b56df. (have a look in yout OMV installation using a terminal). It belongs to you to identify the UUID when you have several volumes for your data.


      2.6 - SAMBA settings
      [...]
      tick "Enable user home directories". You may also tick "Set browseable".


      Do the above instruction; and have a look in the directory containing all your home folders. Find a user who has not his home. Login with a computer as this user. Check in OMV the folder has beeen created for him.

      I will add a note in the tutorial about the location of the home directories
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups