Connect OMV to Active Directory 2012

citynet · 25. Juli 2017

Trying to use the LDAP plugin to get my Domain Users and Groups so i can apply permision on my Share Folder

Nothing Seems to Work
Please HELP

donh · 25. Juli 2017

Have you tried this? https://forum.openmediavault.o…Directory-LDAP-Revisited/

donh · 26. Juli 2017

I added a script to my last post there. Please try it.

Dropkick Murphy · 26. Juli 2017

Zitat von citynet

Trying to use the LDAP plugin to get my Domain Users and Groups so i can apply permision on my Share Folder

Nothing Seems to Work
Please HELP

Without given errors and even a rudimentary list of what you did and what you have...no one can help you...

citynet · 26. Juli 2017

Zitat von donh

I added a script to my last post there. Please try it.

Thanks for the Script
i not shure if i mess things up with all my privus attempts
but still cant join
here is my error

Code

smbldap_search_domain_info: Adding domain info for LVAULT failed with NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.
pdb backend ldapsam:ldap://192.168.0.1:389 did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
PANIC (pid 20220): pdb_get_methods: failed to get pdb methods for backend ldapsam:ldap://192.168.0.1:389


BACKTRACE: 13 stack frames:
 #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f3ff03adf8a]
 #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f3ff03ae070]
 #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f3ff1640e5f]
 #3 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(+0x419cf) [0x7f3ff1ebd9cf]
 #4 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(pdb_is_responsible_for_builtin+0x9) [0x7f3ff1ec05a9]
 #5 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(pdb_create_builtin+0x35) [0x7f3ff1ebbda5]
 #6 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(create_builtin_administrators+0x2d) [0x7f3ff1ebbf1d]
 #7 /usr/lib/x86_64-linux-gnu/libnetapi.so.0(libnet_Join+0x3c0) [0x7f3ff0824430]
 #8 net(net_ads_join+0x3e9) [0x55d8acbfea39]
 #9 net(net_ads+0x34) [0x55d8acc03ea4]
 #10 net(main+0x92a) [0x55d8acbe385a]
 #11 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f3febdccb45]
 #12 net(+0x24ac5) [0x55d8acbe3ac5]
smb_panic(): calling panic action [/usr/share/samba/panic-action 20220]
smb_panic(): action returned status 0
Can not dump core: corepath not set up

Alles anzeigen

citynet · 26. Juli 2017

Hi
I Deleted all the packages installed in the last 3 Days (all my previous attempts)
and use the script
i got good result no error this time!!!
"Joined 'OMV' to dns domain DOMAIN"
after reboot still cant find my AD users and group to apply on the Share

am i missing somting?

I can get all the domain Users and Groups using

wbinfo -g
wbinfo -u

but cant find them in web interface to apply on shared folder

donh · 26. Juli 2017

What do your user id look like with getent passwd? Higher than 60000? Try editing /etc/login.defs. Change the max user and group from 60000 to 33554431.

May be something left over from previous attempts. Try it on a clean vm.

wbinfo working means ypu have stuff left over.

citynet · 26. Juli 2017

After a few hours of attempt I manage to get the user list under ACL

I'm not sure which part is necessary and which is not, but it is working now

I install dose to packages

Code

apt-get install libnss-winbind
apt-get install libpam-winbind

Edit /etc/nsswitch.conf (add winbind)

Code

passwd:         files winbind ldap sss
group:          files winbind ldap sss
shadow:         files winbind ldap sss


hosts:          files dns mdns4 mdns4_minimal [NOTFOUND=return]
networks:       files


protocols:      db files
services:       db files sss winbind
ethers:         db files
rpc:            db files


netgroup:       nis sss winbind
sudoers:        files sss winbind

Alles anzeigen

Add dose extra options to samba from the UI

Code

client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
password server = SERVER.EXAMPLE.COM
realm = EXAMPLE.COM
security = ads
idmap config * : range = 16777221-19777221
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 300

Alles anzeigen

the most Problematic part was to find out my "idmap config * : range"

now why the users and group are only under ACL and not in the users and group section?

donh · 26. Juli 2017

Look at login.defs.

You have quite a mish mash going on. I think the future will be sssd so I tried to go that way. Winbind is old and much more complicated.

citynet · 26. Juli 2017

THANKS!!!!

I delete all the winbind packages/
edit my login.defs, Change the max user and group from 60000 to 33554431.
rerun the script and reboot
everything now working perfect! even the group and user menu are filled with data!

do you know why my UID and GID is so high?
why not limit it to 999999999999 or higher as default?

donh · 26. Juli 2017

33554431 is some magic ms number. I guess they thought no one would ever need more than that.

In /etc/sssd/sssd.conf the line ldap_idmap_range_min = 20000 should map the users above 20000. If that was working you would not need to edit login.defs.

I think if it was my machine I would reinstall. Of course I don't know how much configuration you have done. The cleaner the better. Less packages = less chance for an update to break things.

Moved this post to CIFS/SMB Since there was nothing wrong with the network.

scoop · 11. Dezember 2017

Zitat von citynet
After a few hours of attempt I manage to get the user list under ACL

I'm not sure which part is necessary and which is not, but it is working now

I install dose to packages
Code
apt-get install libnss-winbind
apt-get install libpam-winbind
Edit /etc/nsswitch.conf (add winbind)
Code
passwd:         files winbind ldap sss
group:          files winbind ldap sss
shadow:         files winbind ldap sss


hosts:          files dns mdns4 mdns4_minimal [NOTFOUND=return]
networks:       files


protocols:      db files
services:       db files sss winbind
ethers:         db files
rpc:            db files


netgroup:       nis sss winbind
sudoers:        files sss winbind
Alles anzeigen
Add dose extra options to samba from the UI
Code
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
password server = SERVER.EXAMPLE.COM
realm = EXAMPLE.COM
security = ads
idmap config * : range = 16777221-19777221
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 300
Alles anzeigen
the most Problematic part was to find out my "idmap config * : range"

now why the users and group are only under ACL and not in the users and group section?
Alles anzeigen

Thanks for this.

I recently upgraded to OMV 3 and attempted the steps in dethegeek's Guide how to join OpenMediaVault 3.x in an Active Directory domain, but, unfortunately, no matter what my settings were in sssd.conf/smb.conf/logins.def, I was not able to get my Windows 2012 AD passwd/group entries to list.

So eventually I gave up on sssd and made these adjustments and enabled winbind before sssd in nsswitch.conf (basically like the steps in dethegeek's earlier guide Join a Windows 2008 R2 domain, except now also using sssd) and it worked like a charm, just like before.

I'm not sure why sssd/realmd is able to join AD fine but is incapable of showing my users ..but whatever.. At least it is working.

(For completeness sake, I also adjusted my smb.conf settings and performed a netads join member -k -S <domain_controller_server> -U <domain_admin> -d 1 immediately after performing the realm join. This is probably unnecessary, but I like that "net ads testjoin" and "net ads info" look good, in addition to "realm list" )

(Also, I adjusted smb.conf so that it is only using the dedicated krb5 keytab.)

donh · 11. Dezember 2017

Glad you got it going. Have you seen this thread? https://forum.openmediavault.o…Directory-LDAP-Revisited/ There is a script you can try if you have a spare vm.

Thanks

scoop · 12. Dezember 2017

Zitat von donh

Glad you got it going. Have you seen this thread? https://forum.openmediavault.o…Directory-LDAP-Revisited/ There is a script you can try if you have a spare vm.

Thanks

Yeah I checked that. Thanks for taking the time to make that. It seems to be essentially the same steps as the new 2012 guide that I tried with a few different sssd.conf parameters automated. I tried these edits manually but it didn't seem to help the issue with sssd not enumerating my users in passwd. Not sure why not. Firewall is disabled on my DC..

I joined the AD using realmd first, then net ads second. Both passed.

scoop · 12. Dezember 2017

..Also, I've been trying to use ONLY "dedicated keytab" in my samba.conf, like how it is in the OMV 3.0 guide.'

But, no matter what, I cannot mount my drives without smb.conf set to "kerberos method = secrets and keytab".

I've been using the keytab that was generated during the realmd AD join, but I even went out of my way today to create my own keytab from scratch--one that is valid on my domain and can be to used to authenticate on my OMV host through "kinit -k"-- but even that won't work.

donh · 12. Dezember 2017

I did not have any luck with realmd. May just be my system tho. May be upgrading to 2012 soon so will try with that.

Jetzt mitmachen!