Description
With this guide you are able to join a Windows domain (Either a Windows domain controller, either a Samba 4 domain controller) with your OpenMediaVault server.
This is a new method to join a domain with sssd instead of Winbind. It is much more easy to setup, and is more reliable than winbind.
However there is a drawback: if SSSD chooses himself UID and GID, the numbers seems to high to be available in OMV's UI. If the Directory provides UID and GID set by the administrator, and low enough (10000 for example), OMV is able to show them.
This is currently a BETA, I successfully configured a fresh install of OMV 3 with these steps.
Requirements
- OpenMediaVault 3.0.83 or higher
- A Samba 4 domain controller with uid and gid properties set for users and groups
OMV Configuration
Network settings
- Check IP configuration
Use the web UI to setup a fixed IP address, and a hostname with a domain name matching your domain.
Open a terminal (locally ot with SSH) and check the hostname configuration of your OpenMediaVault.
root@my-server:~# hostname -s
my-server
root@my-server:~# hostmane -d
domain.com
root@my-server:~# cat /etc/hostname
my-server
root@my-server:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 my-server.domain.com my-server
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Alles anzeigen
The first command allows you to check the server has the expected name. It may be whatever you want.
The second command checks the suffix of your hostname. It must match the domain name of your domain controller.
The third command checks that /etc/hostname matches your hostname. If it does not matches hostname -s, then update it.
Packages installation
Now install the requred packages to install and use SSSD.
root@my-server:~# apt-get install sssd realmd policykit-1 packagekit adcli
root@my-server:~# realm discover -v domain.com
root@my-server:~# realm -v join domain.com -U administrator --membership-software=adcli
apt-get install sssd and required packages
realm discover checks you can find your domain controller
realm join .. well .. joins your domain. You need a specify the login of a administrator account, and the process will ask you its password. Some additional packages will be automatically installed.
SSSD is running, you need to stop and reset its cache to tweak it.
Configure SSSD
Check /etc/sssd/sssd.conf and switch use_fully_qualified_names to False. This allows you to authenticate without specifying your domain.
Read the Mapping algorithm paragraph of SSSD to determine if you want ldap_id_mapping or not. Either reading this page: https://linux.die.net/man/5/sssd-ad or either by reading it from OMV terminal.
If you want to disable ID mapping and use POSIX attributes in your AD, change also ldap_id_mapping to False. Doing this requires you set up uid and gid for all your users and groups in your directory.
If you want to show your users in the OpenMediaVault web interface, you need to add at the bottonm of section [domain/domain.com] the parameter enumerate = True. However this is NOT recommended because it will slow down the server and generate network traffic with your domain controller. If you got a lot of users, you should consider keep its default value (False) and configure permissions with setfacl. The same issue occurs with Winbind, so it is useless to prefer Winbind to workaround this problem.
Customize override_homedir to set the path containing your users home directories. You will bind a subtree of a filesystem here in next steps. This means this subtree will be available in 2 paths in OMV's filesystem.
Here is an example of /etc/sssd/sssd.conf
[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam
[domain/domain.com]
ad_domain = domain.com
krb5_realm = DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
# Enable the following line to manage UID and GID
#ldap_id_mapping = False
use_fully_qualified_names = False
override_homedir = /home/domain.com/users/%u
# fallback_homedir is actually useless, but I prefer keep it,
# if I need to do something with override_homedir
fallback_homedir = /home/domain.com/users/%u
access_provider = ad
#enumerate = True
Alles anzeigen
Restart SSSD.
The command realm also updates /etc/nsswitch to use sssd as a source. You do not need to update it yourself, but here is an example of what you should read in this file. Notice the word sss is added in some lines.
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat sss
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
Alles anzeigen
Now sssd is up to date and running, try to find an existing user
Enable mkhomedir
create the file /usr/share/pam-configs/my_mkhomedir with the following content:
Name: Activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0077 skel=/etc/skel
Umask argument for mkhomedir didn't worked for me. pam_umask.so seems be a better option. Create the file /usr/share/pam-configs/umask with the following:
Name: Activate umask
Default: yes
Priority: 800
Session-Type: Additional
Session:
optional pam_umask.so umask=0077
Run the command pam-auth-update, enable Activate mkhomedir and Activate umask.
Configure Home directories
In the OMV UI, open the users administration panel. Assuming you got at least one shared folder defined, choose the tab Settings and enable user home directories. Choose a device and set the path /users to store them. This path is important for the next step.
Find the mounted data volume you want to use for your home directories. In this example, this is the last line. The path after "on" will be re-used to bind mount the volume in /home/domain.com.
mount
( ... snip ... )
tmpfs on /etc/machine-id type tmpfs (ro,relatime,size=100844k,mode=755)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=23,pgrp=1,timeout=300,minproto=5,maxproto=5,direct,pipe_ino=9415)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mqueue on /dev/mqueue type mqueue (rw,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
tmpfs on /tmp type tmpfs (rw,relatime)
rpc_pipefs on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)
/dev/sdb1 on /srv/dev-disk-by-id-scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1 type ext4 (rw,noexec,relatime,data=ordered,jqfmt=vfsv0,usrjquota=aquota.user,grpjquota=aquota.group)
Alles anzeigen
Edit /etc/fstab and bind mount your share to /home/domain.com. The line must be added after # <<< [openmediavault]. This is ensures it will not be overwritten when you edit OpenMediaVault's configuration.
Go in SMB/CIFS configuration, and enable SMB/CIFS.
Set the Workgroup field to DOMAIN (uppercase, and match the word before the first dot of your domain name). Enable user home directories, and add the following on your extra options:
password server = *
realm = DOMAIN.COM
dedicated keytab file = FILE:/etc/krb5.keytab
kerberos method = dedicated keytab
security = ads
allow trusted domains = yes
template shell = /bin/bash
template homedir = /home/domain.com/users/%U
# Performance improvements
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
client use spnego = yes
obey pam restrictions = yes
Alles anzeigen
If you're using OMV 4.X change the line
dedicated keytab file = FILE:/etc/krb5.keytab
into
dedicated keytab file = /etc/krb5.keytab
Save and apply changes.
Read this post if you're under windows 8 to try a performance enhancement : http://forums.openmediavault.o…f=3&t=1493&p=24413#p24366
This step is not required
If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX. You need to choose a value higher than the highest UID and GID you can find in your directory. Here are the default values.
Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group .
You should now be able to browse your home dir and shares if any with a user managed by your Directory server, from a workstation enrolled with SSSD. To setup SSSD on a workstation, do the same as this guide, and don't setup Samba (because it will probably not share files itself, thanks to OMV).