Active Directory / LDAP Revisited

    • OMV 3.x
    • After trying a lot of things with no results, this solved my problems:

      Source Code: http://felipeferreira.net/index.php/2017/01/failed-to-read-keytab-default/

      1. When starting sssd in centos 7 I was getting this
      2. ERROR:
      3. Failed to read keytab [default]: No such file or directory
      4. SOLUTION:
      5. rm /etc/krb5.keytab
      6. klist -k
      7. vi /etc/samba/smb.conf
      8. security = ads
      9. dedicated keytab file = /etc/krb5.keytab
      10. kerberos method = secrets and keytab
      11. realm =
      12. service smb restart
      13. net ads testjoin
      14. net ads leave -U Administrator
      15. net ads join -U Administrator
      16. net ads keytab create -U Administrator
      17. klist -k
      18. service sssd restart
      Display All
    • Thanks!
      I installed openmediavault_4.0.14-amd64.iso, and installed updates (4.0.16-1 Arrakis).
      ...
      I tried with the script, but the sssd service did not start because of this: "Failed to read keytab [default]: No such file or directory".
      After that I was trying with this: Guide how to join OpenMediaVault 3.x in an Active Directory domain
      On it I was not able to continue here: "Restart SSSD" because "Failed to read keytab [default]: No such file or directory".
      So I google that error and got this page: "http://felipeferreira.net/index.php/2017/01/failed-to-read-keytab-default/"

      Now I am trying to figure how to assign AD users/groups to SMB shared folders, the default settings allows me to access shared folders at least.

      Thank you very much!
      OMV is a great software.
      (I speak Spanish, please excuse any mistake).

      The post was edited 1 time, last by jorgeavm: Version Info ().

    • I am using Zentyal 5.0 as AD server.


      donh wrote:

      I asume your users and groups show in Access Rights Manager . Then in shared folder click folder and then privilages and acl as needed
      Only OMV users and groups appear.
      Enven after already joined (with the command: "net ads join -U Administrator"), when running the script I get this:

      Source Code

      1. kinit: KDC reply did not match expectations while getting initial credentials
      2. Failed to join domain: failed to lookup DC info for domain 'MYDOMAIN.LOCAL' over rpc: An internal error occurred.
      I guess I still need to do something else or something is missing.
    • First reboot and clear the sssd data base. One of last steps in the script. Then getent passwd Does that show your users? If so look at the uid numbers. Are they less than 60000? If greater either edit /etc/login.defs or look at the setting in my smb.conf.
      If you make it idiot proof, somebody will build a better idiot.
    • I've gotten FreeIPA/Samba semi-working by adding security = user to the SMB options. This bypasses the kerberos checks and authenticates logins against the local list - which is already synced successfully with FreeIPA. Windows machines can then use an IPA domain user's credentials to access SMB shares.

      They still can't use their own credentials, so it's not perfect. But it's working, which is important for the WAF.

      Source Code

      1. realm = MY.REALM.COM
      2. server role = member server
      3. obey pam restrictions = yes
      4. security = USER

      The post was edited 1 time, last by akujinnoninjin: (Clarified "got 'it' working") ().

    • New to openmediavault, old to sssd. Just got this working on my new install.


      Install necessary tools. (Haven't seen libsasl2-modules-gssapi-mit as a dependency on any other online Debian guides, so I want to call it out here. This solved an issue I had with GSSAPI saying there were no SASL methods between my AD and OMV server).

      Shell-Script

      1. apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit -y



      Join the domain using realmd.

      Shell-Script

      1. realm join -U <sAMAccountName of AD user with Domain Join right> REALM --verbose


      For example, when joining the domain, AD.HAILSATAN.COM. (Note to DEVS: realm can accept a password from stdin. when scripting something like, echo $pcBuilderPass | realm join -U PCBuilder AD.HAILSATAN.COM --verbose totally works.)

      Shell-Script

      1. realm join -U PCBuilder AD.HAILSATAN.COM --verbose

      Add the following configuration line to /etc/krb5.conf, because most people have their DNS setup like shit. This is a default in RHEL/CentOS. Solves the GSSAPI error (Server not found in kerberos database).


      Shell-Script

      1. rdns = False


      Most people don't want to use FQDN's so make this sensible change to /etc/sssd.conf


      Shell-Script

      1. use_fully_qualified_names = False
      2. fallback_homedir = /home/%u


      Restart sssd.


      Shell-Script

      1. systemctl restart sssd


      And test the configuration by asking for id info on a domain user.


      Shell-Script

      1. root@nas:~ id dtrump
      2. uid=126784105(dtrump) gid=116604512(domain users) groups=116604512(domain users),27(sudo),126514609(illuminati),121647812(democrat
      3. bankers),176635179(Continuity of Government),16554327(webfilterpornbypassforpres)


      You can then follow the great guide at Guide how to join OpenMediaVault 3.x in an Active Directory domain. for OMV specific tricks (setting up autofs, and /etc/logindefs).


      Hope this helps guys. Thanks for the awesome software.
    • Users Online 1

      1 Guest