Active Directory / LDAP Revisited

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.


    • ryecoaaron wrote:

      donh wrote:

      Does anyone care about this feature? Has anyone tested other ldap or active directory servers?
      Looks interesting. Now that I know more about ldap and sssd, I could look into a bit more. If you could create a list of fields you would like to see in the plugin with their data type and default value (optional), that would help me greatly.
      Just a warning... I have no way to test AD nor do I want to mess with anything Windows related. Just ldap on my end :) If it works with AD, great.
      I looked for the existing ldap plugins. I thought there was an extras version but I could not find it. The official 3.1.6 version should have enough fields to get any directory service working. I would be willing to write a script to try and prefill some of the fields if they are available from dns. :)
      Images
      • Directory Plugin.png

        84.93 kB, 637×557, viewed 242 times
      If you make it idiot proof, somebody will build a better idiot.
    • donh wrote:

      The official 3.1.6 version should have enough fields to get any directory service working. I would be willing to write a script to try and prefill some of the fields if they are available from dns.
      So, should we fork that plugin to create a new one? The script would help.
      omv 4.0.14 arrakis | 64 bit | 4.13 backports kernel | omvextrasorg 4.1.0
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please don't PM for support... Too many PMs!
    • I think a new one would be better but you know the code better than I. SSSD has many features built in to it and only needs to manipulate 2 files, sssd.conf and smb.conf. sssd.conf is not used in the base system so no problems with that. smb.conf is used so it will be a bit more complicated. It will need to be integrated into the way smb.conf is now handled.

      A switch to fix nsswitch.conf would be good too. A simple text edit to move dns up in the search order.

      Getting ahead of things, maybe a button for some specific types of directory services.

      I doubt if you could do this now but in 4.0 it would be best to add this to the bottom of the smb/cifs page so the settings would be in the same place.

      Thanks!

      PS: I am sure I over simplified this. Does your ldap use things other than I have shown? AD relies heavily on dns being correctly setup, that may have shielded me from some difficulties.
      If you make it idiot proof, somebody will build a better idiot.

      The post was edited 1 time, last by donh ().

    • donh wrote:

      I doubt if you could do this now but in 4.0 it would be best to add this to the bottom of the smb/cifs page so the settings would be in the same place.
      This isn't a problem. samba on OMV uses a runparts directory. So, it can be added to smb.conf the correct way without changing the samba plugin itself. The only issue we might run into is if it sets a setting that is already set by the samba plugin. But, samba uses the last setting parsed when there is more than one of the same settings.

      donh wrote:


      I think a new one would be better but you know the code better than I
      Do you want to call it openmediavault-sssd?
      omv 4.0.14 arrakis | 64 bit | 4.13 backports kernel | omvextrasorg 4.1.0
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please don't PM for support... Too many PMs!
    • "This isn't a problem. samba on OMV uses a runparts directory. So, it can be added to smb.conf the correct way without changing the samba plugin itself. The only issue we might run into is if it sets a setting that is already set by the samba plugin. But, samba uses the last setting parsed when there is more than one of the same settings."

      Cool, if it is on the same page and you add something to the smb extras section would that be good enough? The name should probably be something like "Directory Service SSSd" or something. Use your judgement.
      If you make it idiot proof, somebody will build a better idiot.
    • donh wrote:

      Cool, if it is on the same page and you add something to the smb extras section would that be good enough?
      The plugin can do the equivalent of adding to the extras section but you won't see it in the extras section of the samba plugin.

      donh wrote:


      The name should probably be something like "Directory Service SSSd" or something. Use your judgement.
      Ok.
      omv 4.0.14 arrakis | 64 bit | 4.13 backports kernel | omvextrasorg 4.1.0
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please don't PM for support... Too many PMs!
    • bigfatme2000 wrote:

      This looks really promising! I'd love to see this in a plugin format, as all my OMV installations hook into the same AD integration.
      You should be able to do it now and when the plugin comes out just backup your /etc/sssd/sssd.conf file and restore it. Maybe /etc/samba/smb.conf also. That's the only files effected.

      I did a clean install with the 3 release over the weekend and all worked fine. It also works on 4.0 so the future looks good.
      If you make it idiot proof, somebody will build a better idiot.
    • Hi

      With OMV 3.x the base Debian operating system now has good tools to join a domain with a few commands.

      See the packages realmd and adcli, and my own guide I began to share here: [BETA] Guide how to join OpenMediaVault 3.x in an Active Directory domain
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Thanks for the reply. "realmd" is the piece of the pie I was missing. I threatened to write a script earlier. There is one that should work in this thread, thanks. alandmoore.com/blog/2015/05/06…an-8-to-active-directory/ Will probably still need to add some stuff to smb.conf.

      Another good link outsideit.net/realmd-sssd-ad-authentication/
      If you make it idiot proof, somebody will build a better idiot.
    • Here is a script that will join an OMV to a windows active directory domain.

      1. I always need to fix /etc/nsswitch.conf. Could be done with some sed magic.
      2. Setup samba/cifs and add stuff from below to extra options. Again could be done with some sed magic, but probably wouldn't show in web ui.
      3. Create Join-ad.sh. nano Join-ad.sh Paste code below into.
      4. chmod +x Join-ad.sh
      5. Run the script Join-ad.sh ./Join-ad.sh . reboot or try systemctl stop sssd.service && rm /var/lib/sss/db/* && rm /var/log/sssd/* && systemctl start sssd.service
      6. Did it work?

      Source Code

      1. ### Add below in extra options
      2. ### Change server name and realm to match yours
      3. #Extra Options
      4. client signing = yes
      5. client use spnego = yes
      6. kerberos method = secrets and keytab
      7. password server = mustang.example.com
      8. realm = EXAMPLE.COM
      9. security = ads


      Shell-Script: Join-ad.sh

      1. #!/bin/bash
      2. apt-get update
      3. apt-get dist-upgrade
      4. # This script should join Debian Jessie (8) to an Active Directory domain.
      5. # Adapted from a script here. http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-directory/
      6. if ! $(sudo which sssd 2>/dev/null); then
      7. apt-get install krb5-user krb5-config sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit
      8. fi
      9. # Get domain and user
      10. echo "Please enter the domain you wish to join: UPPER CASE?"
      11. read DOMAIN
      12. echo "Please enter a domain admin login to use: "
      13. read ADMIN
      14. # create /sssd.conf
      15. echo "[sssd]
      16. services = nss, pam, pac, ssh
      17. config_file_version = 2
      18. domains = EXAMPLE.COM
      19. [domain/EXAMPLE.COM]
      20. id_provider = ad
      21. access_provider = ad
      22. auth_provider = ad
      23. chpass_provider = ad
      24. #ldap_schema = rfc2307bis
      25. #ldap_schema = ad
      26. ldap_idmap_autorid_compat = True
      27. # Enumeration is discouraged for performance reasons.
      28. # OMV needs True to show users in ui and acl
      29. enumerate = True
      30. # timeout (integer) #### The default value for this parameter is 10 seconds.
      31. # This get the users in range to show in UI and ACL
      32. ldap_idmap_range_min = 20000
      33. # ldap_idmap_range_max = 60000 ### Does not seem to work
      34. # ### Causes not able to start
      35. # If unneeded users or other objects show.
      36. # Use "dsquery user -name * " to see on windows with powershell
      37. #ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com
      38. # ldap_user_search_base = CN=Users,DC=example,DC=com
      39. # Use this if users are being logged in at /. OMV does this. Otherwise not tested
      40. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
      41. #override_homedir = /home/%u
      42. #ldap_user_email = email # Could this fill the email field? might not be in this version
      43. #ldap_user_search_base = dc=example,dc=com
      44. #ldap_group_search_base = dc=example,dc=com
      45. #ldap_user_object_class = user
      46. #ldap_user_name = sAMAccountName
      47. #ldap_user_fullname = displayName ### Seems to be maps to comment in OMV?
      48. #ldap_user_home_directory = unixHomeDirectory
      49. #ldap_user_principal = userPrincipalName
      50. #ldap_group_object_class = group
      51. #ldap_group_name = sAMAccountName ### Seems to be maps to Name in OMV?
      52. # Unused options
      53. #ldap_idmap_default_domain = example.com
      54. #ldap_id_mapping = True
      55. #default_domain_suffix = example.com
      56. #ldap_access_order = expire
      57. #ldap_account_expire_policy = ad
      58. #ldap_force_upper_case_realm = true
      59. #ldap_user_search_base = dc=example,dc=com
      60. #ldap_group_search_base = dc=example,dc=com
      61. #ldap_user_object_class = user
      62. #ldap_user_name = sAMAccountName
      63. #ldap_user_fullname = displayName
      64. #ldap_user_home_directory = unixHomeDirectory
      65. #ldap_user_principal = userPrincipalName
      66. #ldap_group_object_class = group
      67. #ldap_group_name = sAMAccountName
      68. # ldap_id_mapping = True
      69. # Uncomment if the client machine hostname doesn't match the computer object on the DC.
      70. # ad_hostname = mymachine.EXAMPLE.com
      71. # Uncomment if DNS SRV resolution is not working
      72. # ad_server = dc.mydomain.example.com
      73. # Uncomment if the AD domain is named differently than the Samba domain
      74. # ad_domain = EXAMPLE.COM
      75. # filter_groups =
      76. # For other options see "man sssd.conf"
      77. # https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/" > /etc/sssd/sssd.conf
      78. # Fix permisions
      79. chmod 0600 /etc/sssd/sssd.conf
      80. sed -i 's/EXAMPLE.COM/'"$DOMAIN"'/g' /etc/sssd/sssd.conf
      81. # TODO
      82. # Add test to see if $DOMAIN passes dns tests
      83. # Add test to see if $DOMAIN passes krb5.conf tests
      84. echo "If join fails please check /etc/nsswitch.conf and /etc/krb5.conf"
      85. # Join domain
      86. kinit $ADMIN
      87. net ads join -k
      Display All
      If you make it idiot proof, somebody will build a better idiot.

      The post was edited 7 times, last by donh: Clean up ().

    • Hi guys

      OK so I'm just going through my first setup (lab environment) of the latest OMV 3.x and trying to attach it to my 2012 AD server. I have literally just freshly installed OMV from the ISO twice in the last 3 hours, edited /etc/nsswitch.conf to put 'dns' just after 'files', I've copied, pasted and executed the script kindly provided by donh and even up'd the UID_MAX and max group to 33554431. It joins the domain fine (done this a few times today now) but getent passwd USERNAME doesn't return anything, and users aren't being populated within the OMV admin panel (even after a reboot).


      Is there something up with the latest OMV?


      I've noticed that if I install a fresh OMV install (openmediavault_3.0.86-amd64.iso) and within the OMV admin area I click on 'Update' it throws an error straight away which I need to then run an update command within SSH to fix that too - so not sure if this has stopped working with the recent version, or whether I'm copy/pasting wrong / missing something?


      Thanks guys!
    • Sorry to bump, is this the latest thread / method for connecting OMV to AD?

      I used to use the old method with 2.x however Kerberos method doesn't work on 3.x does it.

      Thanks for any pointers! I'll keep trying today to see if I can get it to work, would be nice to upgrade to 3.x due to its added features.
    • The update issue is a known issue. bugtracker.openmediavault.org/view.php?id=1799 The first step of the script should fix the update error.

      I don't have a 2012 server to test against so your help will be appreciated. You say it joined the domain. What does net ads testjoin show?

      Also klist .
      If you make it idiot proof, somebody will build a better idiot.

      The post was edited 1 time, last by donh ().

    • I've just installed a million different packages and configurations trying to get this to work so I will re-install the whole thing, re-run your script and test again now so will update you shortly.

      I'm confident 2012 is doing its job though as it is configured with 2x 2.x OMV installs, pfsense authenticated, ESXi authenticated and doing everything fine - so we just need to figure OMV out as I'm sure it's a crucial feature for many.

      I'll reinstall now, run your script then run the two commands to give you the feedback.
    • OK weird, just done the below and it all works fine:



      1) install OMV 3.0.86




      2) nano /etc/nsswitch.conf


      change:
      hosts: files mdns4_minimal [NOTFOUND=return] dns


      to:
      hosts: files dns mdns4_minimal [NOTFOUND=return]




      3) On Web UI, save and apply SMB/CIFS config to below:


      Workgroup: DOMAIN


      Extra Options:
      client signing = yes
      client use spnego = yes
      kerberos method = secrets and keytab
      password server = dc.domain.com
      realm = DOMAIN.COM
      security = ads




      4) Copy and paste code into Join-ad.sh



      5) chmod Join-ad.sh


      6) run ./Join-ad.sh


      7) During run: confirm [Y] installs


      8) During run: Enter domain UPPER CASE? DOMAIN.COM


      9) During run: user: Administrator pass: <pass>


      10) Success message: Joined 'OMV' to dns domain 'Domain.com' (think it must be getting the capitalisation of that domain from the hostname


      11) reboot


      12) It all works now.



      So inconsistent, must be human error I'm sure.

      Thanks
    • Hey There,

      sadly for me the script didn't worked :/

      I fixed /etc/nsswitch.conf got the message "Joined successfully to domain" and edited the max IDs in /etc/login.defs but still don't see the Users in the webinterface.

      getent passwd only gives me result of local Users. Does anyone got idea what I should check next?
    • Did you setup smb/cifs? What server are you connecting to? How big is the network?

      Does net ads testjoin pass?

      Maybe your users require a specific search base?
      # If unneeded users or other objects show.
      # Use "dsquery user -name * " to see on windows with powershell
      #ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com
      # ldap_user_search_base = CN=Users,DC=example,DC=com

      If so nano /etc/sssd/sssd.conf and fix as required.
      If you make it idiot proof, somebody will build a better idiot.

      The post was edited 2 times, last by donh ().

    • Users Online 1

      1 Guest