Connect OMV to Active Directory 2012

    • OMV 3.x

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • citynet wrote:

      Trying to use the LDAP plugin to get my Domain Users and Groups so i can apply permision on my Share Folder

      Nothing Seems to Work
      Please HELP
      Without given errors and even a rudimentary list of what you did and what you have...no one can help you...
      --
      Get a Rose Tattoo...

      HP t5740 with Expansion and USB3, Inateck Case w/ 3TB WD-Green
      OMV 2.2.14 Stone burner i386|3.2.0-4-686-pae
    • donh wrote:

      I added a script to my last post there. Please try it.

      Thanks for the Script
      i not shure if i mess things up with all my privus attempts
      but still cant join
      here is my error

      Source Code

      1. smbldap_search_domain_info: Adding domain info for LVAULT failed with NT_STATUS_UNSUCCESSFUL
      2. pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
      3. pdb backend ldapsam:ldap://192.168.0.1:389 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
      4. PANIC (pid 20220): pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://192.168.0.1:389
      5. BACKTRACE: 13 stack frames:
      6. #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f3ff03adf8a]
      7. #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f3ff03ae070]
      8. #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f3ff1640e5f]
      9. #3 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(+0x419cf) [0x7f3ff1ebd9cf]
      10. #4 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(pdb_is_responsible_for_builtin+0x9) [0x7f3ff1ec05a9]
      11. #5 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(pdb_create_builtin+0x35) [0x7f3ff1ebbda5]
      12. #6 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(create_builtin_administrators+0x2d) [0x7f3ff1ebbf1d]
      13. #7 /usr/lib/x86_64-linux-gnu/libnetapi.so.0(libnet_Join+0x3c0) [0x7f3ff0824430]
      14. #8 net(net_ads_join+0x3e9) [0x55d8acbfea39]
      15. #9 net(net_ads+0x34) [0x55d8acc03ea4]
      16. #10 net(main+0x92a) [0x55d8acbe385a]
      17. #11 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f3febdccb45]
      18. #12 net(+0x24ac5) [0x55d8acbe3ac5]
      19. smb_panic(): calling panic action [/usr/share/samba/panic-action 20220]
      20. smb_panic(): action returned status 0
      21. Can not dump core: corepath not set up
      Display All
    • Hi
      I Deleted all the packages installed in the last 3 Days (all my previous attempts)
      and use the script
      i got good result no error this time!!!
      "Joined 'OMV' to dns domain DOMAIN"
      after reboot still cant find my AD users and group to apply on the Share

      am i missing somting?

      I can get all the domain Users and Groups using

      wbinfo -g
      wbinfo -u

      but cant find them in web interface to apply on shared folder

      The post was edited 1 time, last by citynet: Add info ().

    • What do your user id look like with getent passwd? Higher than 60000? Try editing /etc/login.defs. Change the max user and group from 60000 to 33554431.

      May be something left over from previous attempts. Try it on a clean vm.

      wbinfo working means ypu have stuff left over.
      If you make it idiot proof, somebody will build a better idiot.

      The post was edited 1 time, last by donh ().

    • After a few hours of attempt I manage to get the user list under ACL

      I'm not sure which part is necessary and which is not, but it is working now

      I install dose to packages

      Source Code

      1. apt-get install libnss-winbind
      2. apt-get install libpam-winbind

      Edit /etc/nsswitch.conf (add winbind)


      Source Code

      1. passwd: files winbind ldap sss
      2. group: files winbind ldap sss
      3. shadow: files winbind ldap sss
      4. hosts: files dns mdns4 mdns4_minimal [NOTFOUND=return]
      5. networks: files
      6. protocols: db files
      7. services: db files sss winbind
      8. ethers: db files
      9. rpc: db files
      10. netgroup: nis sss winbind
      11. sudoers: files sss winbind
      Display All
      Add dose extra options to samba from the UI


      Source Code

      1. client signing = yes
      2. client use spnego = yes
      3. kerberos method = secrets and keytab
      4. password server = SERVER.EXAMPLE.COM
      5. realm = EXAMPLE.COM
      6. security = ads
      7. idmap config * : range = 16777221-19777221
      8. winbind use default domain = Yes
      9. winbind enum users = Yes
      10. winbind enum groups = Yes
      11. winbind nested groups = Yes
      12. winbind separator = +
      13. winbind refresh tickets = yes
      14. winbind offline logon = yes
      15. winbind cache time = 300
      Display All

      the most Problematic part was to find out my "idmap config * : range"

      now why the users and group are only under ACL and not in the users and group section?
    • 33554431 is some magic ms number. I guess they thought no one would ever need more than that.

      In /etc/sssd/sssd.conf the line ldap_idmap_range_min = 20000 should map the users above 20000. If that was working you would not need to edit login.defs.

      I think if it was my machine I would reinstall. Of course I don't know how much configuration you have done. The cleaner the better. Less packages = less chance for an update to break things.

      Moved this post to CIFS/SMB Since there was nothing wrong with the network.
      If you make it idiot proof, somebody will build a better idiot.

      The post was edited 1 time, last by donh ().

    • citynet wrote:

      After a few hours of attempt I manage to get the user list under ACL

      I'm not sure which part is necessary and which is not, but it is working now

      I install dose to packages

      Source Code

      1. apt-get install libnss-winbind
      2. apt-get install libpam-winbind
      Edit /etc/nsswitch.conf (add winbind)


      Source Code

      1. passwd: files winbind ldap sss
      2. group: files winbind ldap sss
      3. shadow: files winbind ldap sss
      4. hosts: files dns mdns4 mdns4_minimal [NOTFOUND=return]
      5. networks: files
      6. protocols: db files
      7. services: db files sss winbind
      8. ethers: db files
      9. rpc: db files
      10. netgroup: nis sss winbind
      11. sudoers: files sss winbind
      Display All
      Add dose extra options to samba from the UI


      Source Code

      1. client signing = yes
      2. client use spnego = yes
      3. kerberos method = secrets and keytab
      4. password server = SERVER.EXAMPLE.COM
      5. realm = EXAMPLE.COM
      6. security = ads
      7. idmap config * : range = 16777221-19777221
      8. winbind use default domain = Yes
      9. winbind enum users = Yes
      10. winbind enum groups = Yes
      11. winbind nested groups = Yes
      12. winbind separator = +
      13. winbind refresh tickets = yes
      14. winbind offline logon = yes
      15. winbind cache time = 300
      Display All
      the most Problematic part was to find out my "idmap config * : range"

      now why the users and group are only under ACL and not in the users and group section?
      Thanks for this.

      I recently upgraded to OMV 3 and attempted the steps in dethegeek's Guide how to join OpenMediaVault 3.x in an Active Directory domain
      , but, unfortunately, no matter what my settings were in sssd.conf/smb.conf/logins.def, I was not able to get my Windows 2012 AD passwd/group entries to list.

      So eventually I gave up on sssd and made these adjustments and enabled winbind before sssd in nsswitch.conf (basically like the steps in dethegeek's earlier guide Join a Windows 2008 R2 domain, except now also using sssd) and it worked like a charm, just like before.

      I'm not sure why sssd/realmd is able to join AD fine but is incapable of showing my users :thumbdown: ..but whatever.. At least it is working.

      (For completeness sake, I also adjusted my smb.conf settings and performed a netads join member -k -S <domain_controller_server> -U <domain_admin> -d 1 immediately after performing the realm join. This is probably unnecessary, but I like that "net ads testjoin" and "net ads info" look good, in addition to "realm list" 8) )

      (Also, I adjusted smb.conf so that it is only using the dedicated krb5 keytab.)
    • donh wrote:

      Glad you got it going. Have you seen this thread? forum.openmediavault.org/index…Directory-LDAP-Revisited/ There is a script you can try if you have a spare vm.

      Thanks
      Yeah I checked that. Thanks for taking the time to make that. It seems to be essentially the same steps as the new 2012 guide that I tried with a few different sssd.conf parameters automated. I tried these edits manually but it didn't seem to help the issue with sssd not enumerating my users in passwd. Not sure why not. Firewall is disabled on my DC..

      I joined the AD using realmd first, then net ads second. Both passed.

      The post was edited 1 time, last by scoop ().

    • ..Also, I've been trying to use ONLY "dedicated keytab" in my samba.conf, like how it is in the OMV 3.0 guide.'

      But, no matter what, I cannot mount my drives without smb.conf set to "kerberos method = secrets and keytab".

      I've been using the keytab that was generated during the realmd AD join, but I even went out of my way today to create my own keytab from scratch--one that is valid on my domain and can be to used to authenticate on my OMV host through "kinit -k"-- but even that won't work.