Active Directory / LDAP Revisited

  • My Network is not that big. My Domaincontroller is a Raspberry Pi, running with Samba 4 as Domain Controller.


    SMB/Cifs is setup like in the quote.


    net ads testjoin gives following output:


    Code
    root@speichermonster:/home/gamienator# net ads testjoin
    Join is OK

    So you have an idea where the error could be?

    • Offizieller Beitrag

    Any objections?

    Nope

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Hello,


    I hope i'm not too late to ask but, i'm having a problem joining the domain. Uhh, what exactly should I put in the General Settings: Workgroup under SMB/CIFS? Thank you :)


    Code
    Please enter the domain you wish to join: UPPER CASE?
    <DOMAIN.COM>
    Please enter a domain admin login to use: 
    omv.nas
    If join fails please check /etc/nsswitch.conf and /etc/krb5.conf
    Password for omv.nas@<DOMAIN.COM>: 
    Failed to join domain: failed to find DC for domain WORKGROUP
    root@openmediavault:~#
    • Offizieller Beitrag

    What is your active directory type? Failed to join domain: failed to find DC for domain WORKGROUP suggests you didn't set the workgroup on the SMB\CIFS settings page. You also need to add some info to the extras section. Customize it to your domain.



    Code
    ### Add below in extra options
    ### Change server name and realm to match yours
    #Extra Options
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    password server = mustang.example.com
    realm = EXAMPLE.COM
    security = ads

    Thanks for testing

  • Uhm, my LDAP Server is FreeIPA (CentOS) and the info to the extras section were added already. Anyway, i'm a lil confused on what to put at password server and realm, should it be like the first one or the second one?


    Code
    password server = ipa.domain.com
    realm = DOMAIN.COM
    
    
    or
    
    
    password server = domain.com
    realm = DOMAIN.COM
  • Thank you @donh. I'm still having issues though.. not sure if I should post it here or in the other thread xD


    • Offizieller Beitrag

    root@openmediavault:~# realm -v join domain.com -U omv.nas --client-software=sssd Did you set the domain on the network page for omv? I think it should be root@openmediavault:~# realm -v join domain.com -U omv.domain.com --client-software=sssd


    You can ask in either thread. The goal is to get it into omv 4 and a plugin in 3. The more feedback the better.

  • Yes, I did.


    Hostname:openmediavault
    Domain:domain.local


    LDAP - ipa.domain.com
    OMV - openmediavault.domain.local


    I received the same error as shown above. Does firewall has something to do with this? No?

    Code
    root@openmediavault:~# realm -v join domain.com -U openmediavault.domain.local --client-software=sssd
     * Resolving: _ldap._tcp.domain.com
     * Performing LDAP DSE lookup on: <ldap_ip>
     * Successfully discovered: domain.com
    Password for openmediavault.domain.local: 
    realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
  • Ahh, yes. My bad. realm -v join domain.com -U omv.nas --client-software=sssd was included in my last last post.. I also tried --server-software=ipa but still get the same error.


    I see freeipa has a demo site. If I get a chance I will setup a vm and try to join it.

    Oh, cool. Thank you :D

    • Offizieller Beitrag

    I was not able to connect to the demo site from omv. Dns issue I think. I did setup a fedora vm and was able to connect to the demo site with these instructions. https://www.freeipa.org/page/Demo Maybe you could setup a vm and try it? Then compare config files. Seems sssd does support freeipa nicely.

    That is sssd.conf. As you can see it has ipa settings. Looks like you might even be able to administer the users on the ipa server.

    • Offizieller Beitrag

    A freeipa link that may be of interest.


    freeipa-client from third party repo. Probably wont make into omv but could show settings required. Try it in a vm


    http://clusterfrak.com/sysops/app_installs/freeipa_clients/
    Fix this line echo -e 'deb http://apt.hgb.fr jessie main' >> /etc/apt/sources.list to echo -e 'deb http://apt.numeezy.fr jessie main' >> /etc/apt/sources.list


    Still can't connect to the demo site tho.

  • I've been doing some playing around with the FreeIPA side of things, and I think I have some good news and some bad news -


    The good news is I've successfully gotten an OMV install joined to an IPA domain with an AD trust, and I'm able to ssh in via AD users. So far, all users and groups that appear in FreeIPA show up as expected in the Web UI - although they're not directly editable.


    The bad news is that Samba/CIFS isn't working - and I don't think it's going to be any time soon. OMV's version of samba has known incompatibility issues with FreeIPA due to how they handle Kerberos authentication. Debian (and thus OMV) uses the Heimdal version of Kerberos, and RHEL/CentOS (and thus FreeIPA) use the MIT version. The server can otherwise be configured successfully - even appearing in the Network Browser on Windows clients - but upon trying to authenticate a host it fails with krb5_init_context_failed messages in the server logs.


    Samba 4.7 is possibly set to fix this, but it'll be a while before that hits Debian Stable. Worse, the unstable and testing versions aren't built with MIT support enabled - so you have to compile it yourself. And that's where I'm at right now, but I've not been having much success - it's now killing the process when a client tries to connect. I'll admit I'm now over my head, so my failures at this point don't really mean anything. Since the current version works with everything except my Windows systems, the current fallback plan is to just share via NFS to a CentOS/RHEL VM on the same box, and then host Samba from there.


    Either way, here's the method I've been using to get the FreeIPA link going on a fresh install of OMV:

    3 Mal editiert, zuletzt von akujinnoninjin () aus folgendem Grund: (Note about needing Kerberos ticket), (policykit1 is necessary - fixes "Not Authorized To Perform This Action" on realm discover. Packagekit also necessary to avoid missing requirements error on join)

  • They do indeed, and so far everything except CIFS/Samba is working as expected. Samba config so far has been ultimately unsuccessful, with the closest I've gotten being the above mentioned krb5_init_context_failed messages when attempting to authorize a client.


    In tracing those, I came across several recent threads mentioning that the FreeIPA client port is built against libraries known to be incompatible with Debian's samba, causing them to misinterpret each others requests. I believe this is why FreeIPA was pulled from stretch in the first place.


    There's also no real ETA for the fix - the freeIPA devs don't officially support Debian, and the Debian Samba team have other priorities - although the 4.7 update looks promising.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!