Active Directory / LDAP Revisited

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Active Directory / LDAP Revisited

      This is early stage of testing only. Use at your own risk. Your mileage may vary.

      Seems to be quite a few threads about this over the years. I have had it working for years but it seems to be quite tricky. With 3.0 coming I decided to look at it again. I did not test against 2.x but it may work as well. I started clean and found something I had not seen before, sssd. It seems to do both AD and other ldap well. I only have a 2008 server to test with so please test other variants if you are interested. I test this in a proxmox vm against a 2008 sbs server with only a few users. I am pasting my notes and hope they are readable.
      I start with a clean install from the iso of a few days ago.

      Source Code

      1. OMV 3 beta AD integration
      2. Active directory lives on DNS, i.e. you must have DNS working before
      3. trying to use AD. In my opinion the best thing to do is use dhcp and set a reservation.
      4. If dns does not work you need to jump threw hoops to make things work!
      5. Links
      6. https://wiki.ubuntu.com/Enterprise/Authentication/sssd
      7. https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-test
      8. Plus a lot more googleing
      9. Install iso
      10. apt-get update
      11. apt-get dist-upgrade ## Upgrade from the webui fails with dependabcy issue
      12. reboot ## end up with 4.9 kernel because using # jessie-updates, previously known as 'volatile'
      13. deb http://ftp.us.debian.org/debian/ jessie-updates main contrib non-free
      14. deb-src http://ftp.us.debian.org/debian/ jessie-updates main contrib non-free
      15. omv-initsystem
      16. Configure smb and enable. Setup share
      17. Fix login.defs
      18. nano /etc/login.defs
      19. Add to smb/cifs extra options
      20. #Extra Options
      21. client signing = yes
      22. client use spnego = yes
      23. kerberos method = secrets and keytab
      24. password server = mustang.example.com
      25. realm = example.COM
      26. security = ads
      27. nano /etc/sssd/sssd.conf
      28. [sssd]
      29. services = nss, pam, pac
      30. config_file_version = 2
      31. domains = example.COM
      32. [domain/example.COM]
      33. id_provider = ad
      34. access_provider = ad
      35. auth_provider = ad
      36. chpass_provider = ad
      37. ldap_idmap_default_domain = example.com
      38. ldap_idmap_autorid_compat = True
      39. #ldap_id_mapping = True
      40. #ldap_schema = ad
      41. # Enumeration is discouraged for performance reasons.
      42. enumerate = true
      43. #ldap_idmap_range_min = 20000
      44. #ldap_idmap_range_max = 60000
      45. ldap_schema = rfc2307bis
      46. #ldap_access_order = expire
      47. #ldap_account_expire_policy = ad
      48. #ldap_force_upper_case_realm = true
      49. #ldap_user_search_base = dc=example,dc=com
      50. #ldap_group_search_base = dc=example,dc=com
      51. #ldap_user_object_class = user
      52. #ldap_user_name = sAMAccountName
      53. #ldap_user_fullname = displayName
      54. #ldap_user_home_directory = unixHomeDirectory
      55. #ldap_user_principal = userPrincipalName
      56. #ldap_group_object_class = group
      57. #ldap_group_name = sAMAccountName
      58. ldap_id_mapping = True
      59. # Use this if users are being logged in at /.
      60. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
      61. override_homedir = /home/%d/%u
      62. # Uncomment if the client machine hostname doesn't match the computer object on the DC.
      63. # ad_hostname = mymachine.example.com
      64. # Uncomment if DNS SRV resolution is not working
      65. # ad_server = dc.mydomain.example.com
      66. # Uncomment if the AD domain is named differently than the Samba domain
      67. # ad_domain = example.COM
      68. chmod 0600 /etc/sssd/sssd.conf
      69. apt-get install krb5-user samba sssd ntp libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit ldap-utils
      70. nano /etc/nsswitch ###move dns up in hosts not sure why that needs to be done
      71. hosts: files dns mdns4_minimal [NOTFOUND=return]
      72. Join the AD
      73. kinit donadmin
      74. net ads join -k
      75. getent passwd Should show ad users
      76. getent group Should show ad groups
      77. Go to shared folders. The AD users and groups under acl
      78. One issue is sssd has an issue with restarting if id changes db causes failed start. Work around is
      79. systemctl stop sssd.service && rm /var/lib/sss/db/* && systemctl start sssd.service
      80. Another is to use the name of the share not its ip address, Another reason for getting dns right
      Display All

      The ultimate goal is to get sssd into the code or at least as a plugin. Another useful tool may be realmd, I have not tried that yet.

      I hope this is of interest to others.

      Added a script here. script post
      If you make it idiot proof, somebody will build a better idiot.

      The post was edited 1 time, last by donh: added link to script ().

    • I think for normal users it will parse passwd file populating only users with a uid higher that 1000

      I think this is the function i will parse all users

      github.com/openmediavault/open…ediavault/system/user.inc

      then they will get filtered by type depending on the parameters.

      github.com/openmediavault/open…ned/rpc/usermgmt.inc#L138
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • Thanks for the reply. I can't see why the users would not show. Is there a limit other than /etc/login.defs. I raised that way high.

      test:*:201163:200513:Test:/home/exanple.COM/test:

      The uid is 201163, gid is 200513 is that causing them to be ignored in the webui? Any way they show up under acl.
      If you make it idiot proof, somebody will build a better idiot.
    • Got users showing. in /etc/sssd/sssd.conf

      Source Code

      1. ldap_idmap_range_min = 20000
      2. #to hide computer names that show as users
      3. ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com
      With those changes you don't need to edit login.defs.
      If you make it idiot proof, somebody will build a better idiot.
    • Simplified instructions.

      Source Code

      1. Install and upgrade to latest
      2. Setup nsswitch.conf if needed. Move dns up
      3. Setup SMB/CIFS
      4. In extra options
      5. #Extra Options
      6. client signing = yes
      7. client use spnego = yes
      8. kerberos method = secrets and keytab
      9. password server = mustang.example.com
      10. realm = EXAMPLE.COM
      11. security = ads
      12. apt-get install krb5-user krb5-config sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit
      13. nano /etc/sssd/sssd.conf[sssd]
      Display All



      Source Code: /etc/sssd/sssd.conf

      1. [sssd]
      2. services = nss, pam, pac, ssh
      3. config_file_version = 2
      4. domains = EXAMPLE.COM
      5. [domain/EXAMPLE.COM]
      6. id_provider = ad
      7. access_provider = ad
      8. auth_provider = ad
      9. chpass_provider = ad
      10. #ldap_schema = rfc2307bis
      11. #ldap_schema = ad
      12. ldap_idmap_autorid_compat = True
      13. # Enumeration is discouraged for performance reasons.
      14. # OMV needs True to show users in ui and acl
      15. enumerate = True
      16. # timeout (integer) #### The default value for this parameter is 10 seconds.
      17. # This get the users in range to show in UI and ACL
      18. ldap_idmap_range_min = 20000
      19. # ldap_idmap_range_max = 60000 ### Does not seem to work
      20. # ### Causes not able to start
      21. # If unneeded users or other objects show.
      22. # Use "dsquery user -name * " to see on windows with powershell
      23. #ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com
      24. # ldap_user_search_base = CN=Users,DC=example,DC=com
      25. # Use this if users are being logged in at /. OMV does this. Otherwise not tested
      26. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
      27. #override_homedir = /home/%u
      28. #ldap_user_email = email # Could this fill the email field? might not be in this version
      29. #ldap_user_search_base = dc=example,dc=com
      30. #ldap_group_search_base = dc=example,dc=com
      31. #ldap_user_object_class = user
      32. #ldap_user_name = sAMAccountName
      33. #ldap_user_fullname = displayName ### Seems to be maps to comment in OMV?
      34. #ldap_user_home_directory = unixHomeDirectory
      35. #ldap_user_principal = userPrincipalName
      36. #ldap_group_object_class = group
      37. #ldap_group_name = sAMAccountName ### Seems to be maps to Name in OMV?
      38. # Unused options
      39. #ldap_idmap_default_domain = example.com
      40. #ldap_id_mapping = True
      41. #default_domain_suffix = example.com
      42. #ldap_access_order = expire
      43. #ldap_account_expire_policy = ad
      44. #ldap_force_upper_case_realm = true
      45. #ldap_user_search_base = dc=example,dc=com
      46. #ldap_group_search_base = dc=example,dc=com
      47. #ldap_user_object_class = user
      48. #ldap_user_name = sAMAccountName
      49. #ldap_user_fullname = displayName
      50. #ldap_user_home_directory = unixHomeDirectory
      51. #ldap_user_principal = userPrincipalName
      52. #ldap_group_object_class = group
      53. #ldap_group_name = sAMAccountName
      54. # ldap_id_mapping = True
      55. # Uncomment if the client machine hostname doesn't match the computer object on the DC.
      56. # ad_hostname = mymachine.EXAMPLE.com
      57. # Uncomment if DNS SRV resolution is not working
      58. # ad_server = dc.mydomain.example.com
      59. # Uncomment if the AD domain is named differently than the Samba domain
      60. # ad_domain = EXAMPLE.COM
      61. # filter_groups =
      62. # For other options see "man sssd.conf"
      63. # https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/
      64. chmod 0600 /etc/sssd/sssd.conf
      65. kinit administratorn
      66. net ads join -k
      67. reboot
      68. getent passwd
      Display All

      Source Code

      1. chmod 0600 /etc/sssd/sssd.conf
      2. kinit administrator
      3. net ads join -k
      4. reboot
      5. getent passwd

      Please test this against other directory services.

      Thanks
      If you make it idiot proof, somebody will build a better idiot.

      The post was edited 1 time, last by donh ().

    • Good news bad news, Votdev looks to add it. Bad news targeted for 4.0. bugtracker I guess I should have looked at this earlier, sorry. There are 2 plugins now that could be combined by doing this or eliminated. Simplifying everything, a major goal of OMV.

      So I guess we will need a plugin. Unfortunately that is above my skill level. It should be fairly easy to do. Install a few apt packages and and gather some info for smb.conf and sssd.conf. I can probably help write a script to get some of the info if it is available.

      So 400 views and only 1 other comment. Does anyone care about this feature? Has anyone tested other ldap or active directory servers?

      Thanks
      If you make it idiot proof, somebody will build a better idiot.
    • I would really like to have this functionality since right now I have to create users twice. Once in my Zentyal AD and once on OMV.

      In my test VM, I have tried to follow instructions on how to join an active directory...... unfortunately it failed
      Probably something I did, but unfortunately I don't have much time to go through and figure it out.


      I will however be no help creating this plugin, since that is way above my skill set.
    • donh wrote:

      Does anyone care about this feature? Has anyone tested other ldap or active directory servers?
      Looks interesting. Now that I know more about ldap and sssd, I could look into a bit more. If you could create a list of fields you would like to see in the plugin with their data type and default value (optional), that would help me greatly.

      Just a warning... I have no way to test AD nor do I want to mess with anything Windows related. Just ldap on my end :) If it works with AD, great.
      omv 4.0.11 arrakis | 64 bit | 4.13 backports kernel | omvextrasorg 4.1.0
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please don't PM for support... Too many PMs!
    • I will get some info to you about ad at least as of 2008 sbs and maybe a script. AD relies heavily on dns. If it is correctly setup it could be filled in automatically. I did look for a "sample" sssd.conf file that would have all the options, but never found one. Probably need to read the man pages for that. I did document some above. Are there others needed for other types?

      For other directories I would search for sssd and whatever ldap server you use.

      The goal is not to manage the directory from OMV, but only to use users and groups for permissions. That keeps it simple.
      If you make it idiot proof, somebody will build a better idiot.
    • First installment. There are 2 files that are already in use by OMV and they need to be dealt with appropriately, smb.conf and nsswitch.conf. They were sometimes modified by saving changes. Not sure that is still the case. Below are what I needed to add to smb.conf for a 2008 sbs server. I just add them to the extra options of SMB/CIFS. They seem to survive settings updates.

      ###########
      Install and upgrade to latest


      Not sure if this step is just my setup. nsswitch needs to get things from dns for AD
      The sssd apt install adds entries for itself


      Setup nsswitch.conf if needed. Move dns up in the order.


      apt-get install krb5-user krb5-config
      ## will get settings from dns and might ask if not available there.
      ## Would that popup from the install? Could it?


      Setup SMB/CIFS


      In extra options


      #Extra Options
      client signing = yes
      client use spnego = yes
      kerberos method = secrets and keytab
      password server = mustang.example.com ## needed ??
      realm = EXAMPLE.COM ## could be extracted from /etc/krb.conf with script


      security = ads ## SECURITY = AUTO This is the default security setting
      ## in Samba, and causes Samba to consult the server role
      ## parameter (if set) to determine the security mode.
      ## See man page options user, ads, domain,
      ## Will test this later.


      apt-get install sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit


      nano /etc/sssd/sssd.conf
      [sssd]


      To be continued


      Will do more for sssd conf later.

      Thanks.
      If you make it idiot proof, somebody will build a better idiot.
    • vshaulsk wrote:

      I would really like to have this functionality since right now I have to create users twice. Once in my Zentyal AD and once on OMV.

      In my test VM, I have tried to follow instructions on how to join an active directory...... unfortunately it failed
      Probably something I did, but unfortunately I don't have much time to go through and figure it out.


      I will however be no help creating this plugin, since that is way above my skill set.
      What version is your Zentyal? Do you have support? When you tried did you get errors, what were they. Do you like Zentyal? It looks interesting, might try it in a vm.
      If you make it idiot proof, somebody will build a better idiot.
    • Honestly I would love to see this feature. I'm not using it in a corp environment but I am at home. I have a small AD setup at home using Server 2016 and while testing with OMV in a VM (not using my primary OMV system), this worked nicely. It would be great as a plugin as I initially attempted with the LDAP plugin and it just seemed like there was a lot of old info that didn't work with my OMV3 setup. I'm mainly doing this because I want an AD system to make maintaining/etc the numerous systems I have in my easier. It would be nice to have one place to add/remove users and password changes instead of multiple.

      My one question, will the accounts stay in sync or will in I need to setup a cron job to run the getent passwd command every so often?
    • Thanks for testing. Did you have any suggestions? They should stay synced with no need to do anything. There may be some caching or delay in propagating from the ad system. In a small network it should be minimal. You can test it easily, create a user and see how soon it shows up in users etc.

      Since it is working on 2008sbs and 2016 I assume it will work on anything in between.
      If you make it idiot proof, somebody will build a better idiot.
    • No suggestions really. I'm not quite deep enough into the OMV/Linux architecture to really be able to provide suggestions/changes but can provide logs/errors if any of that pops up. Wish I could be more helpful on that end.

      Although if you have any questions on the AD side of things including some of the LDAP elements I might be able to help out. Kinda like the two lines:

      ldap_user_search_base = ou=omvusers,dc=example,dc=com
      ldap_group_search_base = ou=omvgroups,dc=example,dc=com

      I purposely created two AD OU's to clean up what was brought into OMV so only users/groups I WANT in OMV gets sent to OMV. You can find the full LDAP path of these things in ADSI Edit. I can't imagine it would cause a problem to only pass specific users/groups from AD to OMV.

      It would be great to see this as a plugin but really the manual install is easy enough even if you're only semi familiar with the CLI. The only thing that initially tripped me up was editing the nsswitch.conf file. I didn't do it at first and kept getting an error when attempting to run the kinit line saying it was unable to reach a KDC server. Messing around a bit I noticed I forgot that step. Made the change and bam, worked instantly.
    • Ya nsswitch.conf seems to be a problem for some reason. I thought it might be just my system. Not sure why it does not fall threw to dns? The original order is.

      Source Code

      1. files mdns4_minimal [NOTFOUND=return] mdns4 dns
      Seems it should get to dns eventually but for some reason doesn't. That seems to be one of the biggest faults in most tutorials I have read. I am not sure if moving dns up in the search order might break some things like mdns (bonjour), I don't think I am using it.
      If you make it idiot proof, somebody will build a better idiot.
    • donh wrote:

      Ya nsswitch.conf seems to be a problem for some reason. I thought it might be just my system. Not sure why it does not fall threw to dns? The original order is.

      Source Code

      1. files mdns4_minimal [NOTFOUND=return] mdns4 dns
      Seems it should get to dns eventually but for some reason doesn't. That seems to be one of the biggest faults in most tutorials I have read. I am not sure if moving dns up in the search order might break some things like mdns (bonjour), I don't think I am using it.
      I did some research on the nsswitch.conf. Basically from what I'm reading, "NOTFOUND=return" if the lookup hasn't returned a success by now, to basically return a failure and not to continue on. I would imagine moving anything to the left of that entry won't hurt but could cause some slight lag. In fact, it could probably be beneficial to move dns first if you have a correctly configured dns.
    • I have it implemented completely. Works pretty well. The updates in AD take some time to propagate but that's not surprising. I don't intend on making lots of updates.

      On another note, I had to make a few changes here and there to allow/tweak SSH and sudo. Sudo was a little trickier as it requires altering the AD schema and making edits within ADSI edit. SSH was relatively easy. Also had to add an entry in the sssd.config to set the default shell.

      Source Code: sssd.conf

      1. [sssd]
      2. services = nss, pam, pac, sudo, ssh
      3. config_file_version = 2
      4. domains = DOMAIN.LOCAL
      5. [nss]
      6. default_shell = /bin/bash #gives all users the default shell of /bin/bash
      7. [domain/DOMAIN.LOCAL]
      8. id_provider = ad
      9. access_provider = ad
      10. auth_provider = ad
      11. chpass_provider = ad
      12. ldap_idmap_autorid_compat = True
      13. enumerate = True
      14. ldap_idmap_range_min = 20000
      15. override_homedir = /media/<UUID>/Homes/%u #I have my Homes directory on one of the File Shares instead of on the system drive
      16. #created a specific OU for users so I only get the users I want. I tried to do this for groups but for some reason it didn't work.
      17. ldap_user_search_base = ou=OMVUsers,dc=domain,dc=local
      Display All
      in /etc/ssh/sshd_Config I added the AD group I created domain_ssh for the users I want to have SSH rights.

      The sudo stuff like I said is a little more involved. I can possibly provide some instructions if anyone is interested. I just googled something about sssd sudo and found the process to do it. Wound up following two different sets of instructions to get it to work successfully.

      The post was edited 1 time, last by ParadingLunatic ().