Hi
I was using debian GNU/Linux to manage my files with RAID mirroring. I discovered OMV a few month ago and I replaced my debian distro. Migrating my RAID array was a piece of cake despite I'm not an expert about lots of thing about linux.
I'm using both windows and linux at home and I wanted to manage all my computers having the best of both worlds. I decided to create a howto to make OMV a domain member.
I want to share my work to the community. I wish that in a near future, OMV will be able to natively join a Active Directory domain thanks to a dedicated plugin.
The following configuration has beed designed to host domain users home directories, and let users to access their home with both SSH and SMB/CIFS.
Before posting today, I found some tips to make OMV a domain member here : http://bugtracker.openmediavault.org/view.php?id=487
Feel free to tell me anything which may improve this howto.
EDIT : new tutorial with NFS support here (OMV 0.4 or 0.5) : http://forums.openmediavault.org/viewtopic.php?f=3&t=2648
EDIT : read the same tutorial for OMV 1.0 : Tutorial OMV 1.0 - how to join an Windows 2008 R2 domain
1 - LAB description
1 ESXi 5 host with some virtual machines :
1 windows 2008 R2 ad domain controller
1 OpenMediaVault 0.4.x
1 windows 7 64 bits member of the 2008 R2 domain
the domain controller has DNS and DHCP roles
Openmediavault has 1 ethernet interface configured with DHCP
1.1 - Settings
Domain is : domain.local
windows 2008R2 hostname : srv-dc-01
omv hostname : omv
1.2 - customizations or what you need to adapt to YOUR needs
a way to synchronize time between your DC, your OMV server and your domain member computers
the domain name (and therefore the workgroup)
the directory containing homedirs (probably something line /media/30fcb748-ad1e-4228-af2f-951e8e7b56df/YOURWORKGRP)
2 - On OpenMediaVault
2.1 - Check IP configuration
Openmediavault has a DHCP assigned IP address. You should check his hostname and name resolution
omv:/# host domain.local
domain.local has address 192.168.0.10
omv:/# hostname -f
omv.domain.local
2.2 - Check time and NTP
The LAB environment runs ESXi : time is synced on each VM boot and is sufficient for testing purpose. In production environment use VMware Tools and time sync agains the ESXi host or use NTP.
2.3 - Install required packages
omv:/# apt-get update; apt-get install krb5-user krb5-clients libpam-krb5 winbind
you will asked for kerberos default domain : DOMAIN.LOCAL
2.4 - Kerberos configuration
Runs out of the box with default configuration. However you may edit /etc/krb5.conf as the following
[libdefaults]
default_realm = DOMAIN.LOCAL
ticket_lifetime = 600
dns_lookup_realm = yes
dns_lookup_kdc = yes
renew_lifetime = 7d
; allow_weak_crypto = true
# The following krb5.conf variables are only for MIT Kerberos.
; krb4_config = /etc/krb.conf
; krb4_realms = /etc/krb.realms
; kdc_timesync = 1
; ccache_type = 4
; forwardable = true
; proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# Pour Windows Server 2008 R2 (seems not required)
; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
# Pour Windows Server 2003 (not tested agains windows 2003 server yet, and this server is deprecated)
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Alles anzeigen
2.5 - Test kerberos settings
Give administrator password
test you got a ticket :
omv:/# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator (at) DOMAIN.LOCAL
Valid starting Expires Service principal
01/28/13 13:28:58 01/28/13 13:38:58 krbtgt/DOMAIN.LOCAL (at) DOMAIN.LOCAL
destroy all tickets (and check with klist)
2.6 - SAMBA settings
In OMV webGUI :
enable SAMBA
set Workgroup : DOMAIN
tick "Enable user home directories". You may also tick "Set browseable".
add extra options :
password server = *
realm = DOMAIN.LOCAL
security = ads
allow trusted domains = yes
idmap uid = 9400-59999
idmap gid = 9400-59999
winbind use default domain = true
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
winbind separator = /
winbind nested groups = yes
;winbind normalize names = yes # needs to be disabled
winbind refresh tickets = yes
;template primary group = users # seems deprecated ?
template shell = /bin/bash
template homedir = /home/%D/%U
client ntlmv2 auth = yes
client use spnego = yes
# Performance improvements
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
Alles anzeigen
Read this post if you're under windows 8 to try a performance enhancement : http://forums.openmediavault.o…f=3&t=1493&p=24413#p24366
Test samba configuration
Disable winbind cache
edit /etc/default/winbind and uncomment the following
restart samba and winbind
This step is not required
If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX as the following
Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group .
2.7 - Join the domain
Argument createcomputer allows you to create the computer's account in an organisational unit (OU) and is not required.
omv:/# net ads join -U administrator createcomputer=servers/linux
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'OMV' to realm 'domain.local'
2.8 - enable authentication with winbind
edit /etc/nsswitch.conf
2.9 - check users and groups enumeration
(you get local and AD users lists)
(you get local and AD groups lists)
2.10 - Enable mkhomedir and umask
create the file /usr/share/pam-configs/my_mkhomedir with the following content
Name: Activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0077 skel=/etc/skel
umask argument for mkhomedir didn't worked for me. pam_umask.so seems be a better option. Create the file /usr/share/pam-configs/umask with the following
Name: Activate umask
Default: yes
Priority: 800
Session-Type: Additional
Session:
optional pam_umask.so umask=0077
Run the command pam-auth-update, enable Activate mkhomedir and Activate umask. The items Kerberos authentication, Unix authentication and Winbind NT/Active Directory authentication should be already enabled.
2.11 - Fix domain folder permission
In SMB/CIFS, extra confguration the special variable %D is used to distinguish domain users from OMV's local users. A folder will becreated upon first domain user connexion. However the folder will not allow domain users to traverse the folder and access their home directory. This need a fix. Create the folder where template homedir expects to find it, and adjust the owners and permissions. If your active directory contains a white space, ensure to escape it with a backslash.
2.12 - SSH login for AD users
In OMV webGUI enable SSH, disable root login (prefer su and sudo) and add this in Extra Options :
Please check "domain users is enclosed by double quotes and check this is the group name available in windows 2008 R2 (I'm french and I'm using a french windows 2008R2 : groups and users names are localized)
3 - Login against SMB or SSH
don't prefix username with domain. (eg: not DOMAIN.LOCAL/administrator; use administrator only)