Active Directory / LDAP Revisited

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • My Network is not that big. My Domaincontroller is a Raspberry Pi, running with Samba 4 as Domain Controller.

      SMB/Cifs is setup like in the quote.

      net ads testjoin gives following output:

      Source Code

      1. root@speichermonster:/home/gamienator# net ads testjoin
      2. Join is OK
      So you have an idea where the error could be?
    • Hello,

      I hope i'm not too late to ask but, i'm having a problem joining the domain. Uhh, what exactly should I put in the General Settings: Workgroup under SMB/CIFS? Thank you :)

      Source Code

      1. Please enter the domain you wish to join: UPPER CASE?
      2. <DOMAIN.COM>
      3. Please enter a domain admin login to use:
      4. omv.nas
      5. If join fails please check /etc/nsswitch.conf and /etc/krb5.conf
      6. Password for omv.nas@<DOMAIN.COM>:
      7. Failed to join domain: failed to find DC for domain WORKGROUP
      8. root@openmediavault:~#
    • What is your active directory type? Failed to join domain: failed to find DC for domain WORKGROUP suggests you didn't set the workgroup on the SMB\CIFS settings page. You also need to add some info to the extras section. Customize it to your domain.


      Source Code

      1. ### Add below in extra options
      2. ### Change server name and realm to match yours
      3. #Extra Options
      4. client signing = yes
      5. client use spnego = yes
      6. kerberos method = secrets and keytab
      7. password server = mustang.example.com
      8. realm = EXAMPLE.COM
      9. security = ads
      Thanks for testing
      If you make it idiot proof, somebody will build a better idiot.
    • Uhm, my LDAP Server is FreeIPA (CentOS) and the info to the extras section were added already. Anyway, i'm a lil confused on what to put at password server and realm, should it be like the first one or the second one?

      Source Code

      1. password server = ipa.domain.com
      2. realm = DOMAIN.COM
      3. or
      4. password server = domain.com
      5. realm = DOMAIN.COM

      The post was edited 3 times, last by kyou ().

    • Thank you @donh. I'm still having issues though.. not sure if I should post it here or in the other thread xD

      Source Code

      1. root@openmediavault:~# realm discover -v domain.com
      2. * Resolving: _ldap._tcp.domain.com
      3. * Performing LDAP DSE lookup on: <ldap_ip>
      4. * Successfully discovered: domain.com
      5. domain.com
      6. type: kerberos
      7. realm-name: DOMAIN.COM
      8. domain-name: domain.com
      9. configured: no
      10. server-software: ipa
      11. client-software: sssd
      12. root@openmediavault:~# realm -v join domain.com -U omv.nas --membership-software=adcli
      13. * Resolving: _ldap._tcp.domain.com
      14. * Performing LDAP DSE lookup on: <ldap_ip>
      15. * Successfully discovered: domain.com
      16. Password for omv.nas:
      17. ! Unsupported or unknown membership software 'adcli'
      18. realm: Couldn't join realm: Unsupported or unknown membership software 'adcli'
      19. root@openmediavault:~# realm -v join domain.com -U omv.nas --server-software=ipa
      20. * Resolving: _ldap._tcp.domain.com
      21. * Performing LDAP DSE lookup on: <ldap_ip>
      22. * Successfully discovered: domain.com
      23. Password for omv.nas:
      24. realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
      25. root@openmediavault:~# realm -v join domain.com -U omv.nas --client-software=sssd
      26. * Resolving: _ldap._tcp.domain.com
      27. * Performing LDAP DSE lookup on: <ldap_ip>
      28. * Successfully discovered: domain.com
      29. Password for omv.nas:
      30. realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
      Display All
    • root@openmediavault:~# realm -v join domain.com -U omv.nas --client-software=sssd Did you set the domain on the network page for omv? I think it should be root@openmediavault:~# realm -v join domain.com -U omv.domain.com --client-software=sssd

      You can ask in either thread. The goal is to get it into omv 4 and a plugin in 3. The more feedback the better.
      If you make it idiot proof, somebody will build a better idiot.
    • Yes, I did.

      Hostname:openmediavault
      Domain:domain.local

      LDAP - ipa.domain.com
      OMV - openmediavault.domain.local

      I received the same error as shown above. Does firewall has something to do with this? No?

      Source Code

      1. root@openmediavault:~# realm -v join domain.com -U openmediavault.domain.local --client-software=sssd
      2. * Resolving: _ldap._tcp.domain.com
      3. * Performing LDAP DSE lookup on: <ldap_ip>
      4. * Successfully discovered: domain.com
      5. Password for openmediavault.domain.local:
      6. realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
    • I was not able to connect to the demo site from omv. Dns issue I think. I did setup a fedora vm and was able to connect to the demo site with these instructions. freeipa.org/page/Demo Maybe you could setup a vm and try it? Then compare config files. Seems sssd does support freeipa nicely.

      Source Code

      1. [domain/demo1.freeipa.org]
      2. cache_credentials = True
      3. krb5_store_password_if_offline = True
      4. ipa_domain = demo1.freeipa.org
      5. id_provider = ipa
      6. auth_provider = ipa
      7. access_provider = ipa
      8. ldap_tls_cacert = /etc/ipa/ca.crt
      9. ipa_hostname = fedora26.example.com
      10. chpass_provider = ipa
      11. ipa_server = _srv_, ipa.demo1.freeipa.org
      12. dns_discovery_domain = demo1.freeipa.org
      13. [sssd]
      14. services = nss, sudo, pam, ssh
      15. domains = demo1.freeipa.org
      16. [nss]
      17. homedir_substring = /home
      18. [pam]
      19. [sudo]
      20. [autofs]
      21. [ssh]
      Display All
      That is sssd.conf. As you can see it has ipa settings. Looks like you might even be able to administer the users on the ipa server.
      If you make it idiot proof, somebody will build a better idiot.
    • A freeipa link that may be of interest.

      freeipa-client from third party repo. Probably wont make into omv but could show settings required. Try it in a vm

      clusterfrak.com/sysops/app_installs/freeipa_clients/
      Fix this line echo -e 'deb http://apt.hgb.fr jessie main' >> /etc/apt/sources.list to echo -e 'deb http://apt.numeezy.fr jessie main' >> /etc/apt/sources.list

      Still can't connect to the demo site tho.
      If you make it idiot proof, somebody will build a better idiot.