Did you try with privileges also?
Active Directory / LDAP Revisited
-
- OMV 5.x
- donh
-
-
Yes, priviliges appear to be working too. Sorry - thought I'd included that in the screenshots.
-
Thanks for trying.
-
-
After trying a lot of things with no results, this solved my problems:
Code: http://felipeferreira.net/index.php/2017/01/failed-to-read-keytab-default/
Alles anzeigenWhen starting sssd in centos 7 I was getting this ERROR: Failed to read keytab [default]: No such file or directory SOLUTION: rm /etc/krb5.keytab klist -k vi /etc/samba/smb.conf security = ads dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab realm = service smb restart net ads testjoin net ads leave -U Administrator net ads join -U Administrator net ads keytab create -U Administrator klist -k service sssd restart
-
After trying a lot of things with no results, this solved my problems:
Welcome to OMV. Can you give a few details please.
-
Thanks!
I installed openmediavault_4.0.14-amd64.iso, and installed updates (4.0.16-1 Arrakis).
...
I tried with the script, but the sssd service did not start because of this: "Failed to read keytab [default]: No such file or directory".
After that I was trying with this: Guide how to join OpenMediaVault 3.x in an Active Directory domain
On it I was not able to continue here: "Restart SSSD" because "Failed to read keytab [default]: No such file or directory".
So I google that error and got this page: "http://felipeferreira.net/index.php/2017/01/failed-to-read-keytab-default/"Now I am trying to figure how to assign AD users/groups to SMB shared folders, the default settings allows me to access shared folders at least.
Thank you very much!
OMV is a great software.
(I speak Spanish, please excuse any mistake). -
-
I asume your users and groups show in Access Rights Manager . Then in shared folder click folder and then privilages and acl as needed.
What kind of directory server are you connecting to? I would like to include your results in the script.
Thanks
-
I am using Zentyal 5.0 as AD server.
I asume your users and groups show in Access Rights Manager . Then in shared folder click folder and then privilages and acl as needed
Only OMV users and groups appear.
Enven after already joined (with the command: "net ads join -U Administrator"), when running the script I get this:Codekinit: KDC reply did not match expectations while getting initial credentials Failed to join domain: failed to lookup DC info for domain 'MYDOMAIN.LOCAL' over rpc: An internal error occurred.
I guess I still need to do something else or something is missing.
-
First reboot and clear the sssd data base. One of last steps in the script. Then getent passwd Does that show your users? If so look at the uid numbers. Are they less than 60000? If greater either edit /etc/login.defs or look at the setting in my smb.conf.
-
-
-
Your welcome. So everything works now?
Do you think add your fix to "Failed to read keytab [default]: No such file or directory" to the script would work?
-
I've gotten FreeIPA/Samba semi-working by adding security = user to the SMB options. This bypasses the kerberos checks and authenticates logins against the local list - which is already synced successfully with FreeIPA. Windows machines can then use an IPA domain user's credentials to access SMB shares.
They still can't use their own credentials, so it's not perfect. But it's working, which is important for the WAF.
-
-
Your welcome. So everything works now?
Do you think add your fix to "Failed to read keytab [default]: No such file or directory" to the script would work?
I think so.
Now I am trying to change subfolders permissions, but they remain as the root folder. -
New to openmediavault, old to sssd. Just got this working on my new install.
Install necessary tools. (Haven't seen libsasl2-modules-gssapi-mit as a dependency on any other online Debian guides, so I want to call it out here. This solved an issue I had with GSSAPI saying there were no SASL methods between my AD and OMV server).
Bashapt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit -y
Join the domain using realmd.
For example, when joining the domain, AD.HAILSATAN.COM. (Note to DEVS: realm can accept a password from stdin. when scripting something like, echo $pcBuilderPass | realm join -U PCBuilder AD.HAILSATAN.COM --verbose totally works.)
Add the following configuration line to /etc/krb5.conf, because most people have their DNS setup like shit. This is a default in RHEL/CentOS. Solves the GSSAPI error (Server not found in kerberos database).Most people don't want to use FQDN's so make this sensible change to /etc/sssd.conf
Restart sssd.
And test the configuration by asking for id info on a domain user.
Bashroot@nas:~ id dtrump uid=126784105(dtrump) gid=116604512(domain users) groups=116604512(domain users),27(sudo),126514609(illuminati),121647812(democrat bankers),176635179(Continuity of Government),16554327(webfilterpornbypassforpres)
You can then follow the great guide at Guide how to join OpenMediaVault 3.x in an Active Directory domain. for OMV specific tricks (setting up autofs, and /etc/logindefs).
Hope this helps guys. Thanks for the awesome software.
-
Thanks, that did the trick on my new omv setup. pretty happy with the result.
I'm a complete layman in all this, but I just noticed that ubuntu (at least 17.10) has freeipa-server packages. Could we expect them to be built with the "same" (if not proper) MIT kerberos?
-
-
Feel free to modify the script with your suggestions. Maybe a test and branch?
Thanks
-
I have the following error:
mv [sssd[ldap_child[17510]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.Any suggestions?
-
It's hard to guess what version of omv and ldap server.
-
-
I have OMV 4.1.7 and Zentyal 5.1
-
Sorry I don't have Zentyal to test. From some of the posts above it may be working with some tweaks.
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!