Active Directory / LDAP Revisited

    • OMV 3.x (stable)

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • My Network is not that big. My Domaincontroller is a Raspberry Pi, running with Samba 4 as Domain Controller.

      SMB/Cifs is setup like in the quote.

      net ads testjoin gives following output:

      Source Code

      1. root@speichermonster:/home/gamienator# net ads testjoin
      2. Join is OK
      So you have an idea where the error could be?
    • Hello,

      I hope i'm not too late to ask but, i'm having a problem joining the domain. Uhh, what exactly should I put in the General Settings: Workgroup under SMB/CIFS? Thank you :)

      Source Code

      1. Please enter the domain you wish to join: UPPER CASE?
      2. <DOMAIN.COM>
      3. Please enter a domain admin login to use:
      4. omv.nas
      5. If join fails please check /etc/nsswitch.conf and /etc/krb5.conf
      6. Password for omv.nas@<DOMAIN.COM>:
      7. Failed to join domain: failed to find DC for domain WORKGROUP
      8. root@openmediavault:~#
    • What is your active directory type? Failed to join domain: failed to find DC for domain WORKGROUP suggests you didn't set the workgroup on the SMB\CIFS settings page. You also need to add some info to the extras section. Customize it to your domain.


      Source Code

      1. ### Add below in extra options
      2. ### Change server name and realm to match yours
      3. #Extra Options
      4. client signing = yes
      5. client use spnego = yes
      6. kerberos method = secrets and keytab
      7. password server = mustang.example.com
      8. realm = EXAMPLE.COM
      9. security = ads
      Thanks for testing
      If you make it idiot proof, somebody will build a better idiot.
    • Uhm, my LDAP Server is FreeIPA (CentOS) and the info to the extras section were added already. Anyway, i'm a lil confused on what to put at password server and realm, should it be like the first one or the second one?

      Source Code

      1. password server = ipa.domain.com
      2. realm = DOMAIN.COM
      3. or
      4. password server = domain.com
      5. realm = DOMAIN.COM

      The post was edited 3 times, last by kyou ().

    • Thank you @donh. I'm still having issues though.. not sure if I should post it here or in the other thread xD

      Source Code

      1. root@openmediavault:~# realm discover -v domain.com
      2. * Resolving: _ldap._tcp.domain.com
      3. * Performing LDAP DSE lookup on: <ldap_ip>
      4. * Successfully discovered: domain.com
      5. domain.com
      6. type: kerberos
      7. realm-name: DOMAIN.COM
      8. domain-name: domain.com
      9. configured: no
      10. server-software: ipa
      11. client-software: sssd
      12. root@openmediavault:~# realm -v join domain.com -U omv.nas --membership-software=adcli
      13. * Resolving: _ldap._tcp.domain.com
      14. * Performing LDAP DSE lookup on: <ldap_ip>
      15. * Successfully discovered: domain.com
      16. Password for omv.nas:
      17. ! Unsupported or unknown membership software 'adcli'
      18. realm: Couldn't join realm: Unsupported or unknown membership software 'adcli'
      19. root@openmediavault:~# realm -v join domain.com -U omv.nas --server-software=ipa
      20. * Resolving: _ldap._tcp.domain.com
      21. * Performing LDAP DSE lookup on: <ldap_ip>
      22. * Successfully discovered: domain.com
      23. Password for omv.nas:
      24. realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
      25. root@openmediavault:~# realm -v join domain.com -U omv.nas --client-software=sssd
      26. * Resolving: _ldap._tcp.domain.com
      27. * Performing LDAP DSE lookup on: <ldap_ip>
      28. * Successfully discovered: domain.com
      29. Password for omv.nas:
      30. realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
      Display All
    • root@openmediavault:~# realm -v join domain.com -U omv.nas --client-software=sssd Did you set the domain on the network page for omv? I think it should be root@openmediavault:~# realm -v join domain.com -U omv.domain.com --client-software=sssd

      You can ask in either thread. The goal is to get it into omv 4 and a plugin in 3. The more feedback the better.
      If you make it idiot proof, somebody will build a better idiot.
    • Yes, I did.

      Hostname:openmediavault
      Domain:domain.local

      LDAP - ipa.domain.com
      OMV - openmediavault.domain.local

      I received the same error as shown above. Does firewall has something to do with this? No?

      Source Code

      1. root@openmediavault:~# realm -v join domain.com -U openmediavault.domain.local --client-software=sssd
      2. * Resolving: _ldap._tcp.domain.com
      3. * Performing LDAP DSE lookup on: <ldap_ip>
      4. * Successfully discovered: domain.com
      5. Password for openmediavault.domain.local:
      6. realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
    • I was not able to connect to the demo site from omv. Dns issue I think. I did setup a fedora vm and was able to connect to the demo site with these instructions. freeipa.org/page/Demo Maybe you could setup a vm and try it? Then compare config files. Seems sssd does support freeipa nicely.

      Source Code

      1. [domain/demo1.freeipa.org]
      2. cache_credentials = True
      3. krb5_store_password_if_offline = True
      4. ipa_domain = demo1.freeipa.org
      5. id_provider = ipa
      6. auth_provider = ipa
      7. access_provider = ipa
      8. ldap_tls_cacert = /etc/ipa/ca.crt
      9. ipa_hostname = fedora26.example.com
      10. chpass_provider = ipa
      11. ipa_server = _srv_, ipa.demo1.freeipa.org
      12. dns_discovery_domain = demo1.freeipa.org
      13. [sssd]
      14. services = nss, sudo, pam, ssh
      15. domains = demo1.freeipa.org
      16. [nss]
      17. homedir_substring = /home
      18. [pam]
      19. [sudo]
      20. [autofs]
      21. [ssh]
      Display All
      That is sssd.conf. As you can see it has ipa settings. Looks like you might even be able to administer the users on the ipa server.
      If you make it idiot proof, somebody will build a better idiot.
    • A freeipa link that may be of interest.

      freeipa-client from third party repo. Probably wont make into omv but could show settings required. Try it in a vm

      clusterfrak.com/sysops/app_installs/freeipa_clients/
      Fix this line echo -e 'deb http://apt.hgb.fr jessie main' >> /etc/apt/sources.list to echo -e 'deb http://apt.numeezy.fr jessie main' >> /etc/apt/sources.list

      Still can't connect to the demo site tho.
      If you make it idiot proof, somebody will build a better idiot.
    • I've been doing some playing around with the FreeIPA side of things, and I think I have some good news and some bad news -

      The good news is I've successfully gotten an OMV install joined to an IPA domain with an AD trust, and I'm able to ssh in via AD users. So far, all users and groups that appear in FreeIPA show up as expected in the Web UI - although they're not directly editable.

      The bad news is that Samba/CIFS isn't working - and I don't think it's going to be any time soon. OMV's version of samba has known incompatibility issues with FreeIPA due to how they handle Kerberos authentication. Debian (and thus OMV) uses the Heimdal version of Kerberos, and RHEL/CentOS (and thus FreeIPA) use the MIT version. The server can otherwise be configured successfully - even appearing in the Network Browser on Windows clients - but upon trying to authenticate a host it fails with krb5_init_context_failed messages in the server logs.

      Samba 4.7 is possibly set to fix this, but it'll be a while before that hits Debian Stable. Worse, the unstable and testing versions aren't built with MIT support enabled - so you have to compile it yourself. And that's where I'm at right now, but I've not been having much success - it's now killing the process when a client tries to connect. I'll admit I'm now over my head, so my failures at this point don't really mean anything. Since the current version works with everything except my Windows systems, the current fallback plan is to just share via NFS to a CentOS/RHEL VM on the same box, and then host Samba from there.

      Either way, here's the method I've been using to get the FreeIPA link going on a fresh install of OMV:

      AkujinNoNinjin wrote:

      The FreeIPA client has been pulled from Debian Stretch, and is currently only available via alternate repositories like the numeezy repo mentioned by @donh above:


      wget -qO - http://apt.numeezy.fr/numeezy.asc | apt-key add -
      echo -e 'deb http://apt.numeezy.fr jessie main' >> /etc/apt/sources.list

      Install the required packages:
      apt-get install sssd realmd libpam-sss libnss-sss sssd-tools freeipa-client libsss-sudo policykit-1 packagekit

      Use realmd to find and join the domain, which fills in *most* of the config for you and sets up the IPA auth. If the join fails due to an authentication error, you probably need to run a kinit admin for a Kerberos ticket first.
      realm discover -v domain.com
      realm -v join domain.com
      # (enter admin password)

      Stop the SSSD service, and edit /etc/sssd/sssd.conf. Realmd should have set the *_provider entries to IPA, as well as the ipa_domain, ipa_hostname and ipa_server names. Note: elsewhere in the thread people mention using ldap_* entries for various reasons (eg ldap_idmap_range, ldap_user_search_base). These are *only* applicable to an ldap setup -IPA has a different set of sssd.conf entries.

      Under [domain\domain.com] add enumerate = true - this can cause some lag on first connection, but appears to be necessary to have users appear in WebUI
      Under [sssd] change "services= sudo, ssh" to "services= sudo, ssh, nss, pam"

      Double check /etc/nsswitch.conf got updated by realm:

      Source Code

      1. passwd: compat sss
      2. group: compat sss
      3. shadow: compat sss
      4. ...
      5. services: db files sss
      6. ...
      7. netgroup: nis sss
      service sssd restart

      getent passwd and getent group should now return results for domain users and groups, but they still won't show in the Web GUI. For that, you need to edit /etc/login.defs and raise max_GID and max_UID to numbers higher than your FreeIPA server will ever assign - FreeIPA WebGUI > IPA Server > ID Ranges. For my setup, that meant changing both from 60000 to 2000000000. After that, everything should also appear in OMV. Samba/CIFS should still be *disabled*.

      The post was edited 3 times, last by akujinnoninjin: (Note about needing Kerberos ticket), (policykit1 is necessary - fixes "Not Authorized To Perform This Action" on realm discover. Packagekit also necessary to avoid missing requirements error on join) ().

    • They do indeed, and so far everything except CIFS/Samba is working as expected. Samba config so far has been ultimately unsuccessful, with the closest I've gotten being the above mentioned krb5_init_context_failed messages when attempting to authorize a client.

      In tracing those, I came across several recent threads mentioning that the FreeIPA client port is built against libraries known to be incompatible with Debian's samba, causing them to misinterpret each others requests. I believe this is why FreeIPA was pulled from stretch in the first place.

      There's also no real ETA for the fix - the freeIPA devs don't officially support Debian, and the Debian Samba team have other priorities - although the 4.7 update looks promising.
      Images
      • Users.jpg

        681.44 kB, 1,754×972, viewed 19 times
    • Users Online 6

      6 Guests