Samba AD/DC integration

    • OMV 4.x
    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Samba AD/DC integration

      Hi all,
      this is my 1st post, so please bear with me. Also, English is not my native language so, again, "beer" with me.
      To the point.
      I'm trying to integrate OMV on my Samba AD domain. Shouldn't be too difficult. However, my preliminary trials failed one way or the other.
      So, before I start the painstaking process of wall head-banging, I've looked around for some how-to's and found
      Active Directory / LDAP Revisited
      Join a Windows 2008 R2 domain
      but those are for windoze AD's. Although a lot of those 2 guides actually apply to my environment, they are not what I had in mind.
      but that is OLD news!

      So, bottom line, any guides out there for a lazy guy like me?
      Best regards
    • Thank you Donh for your answer and for the "Active Directory / LDAP Revisited". FYI *YOU* started this .
      Also dethegeek had a major role on the following with his "Join a Windows 2008 R2 domain". A lot of the following is copied from his post.
      Anyway, before trying realmd or sssd, I wanted to see if I could do it using plain winbind that comes with samba. It's now working but not in production. Here are my findings.

      Disclaimer: This is NOT an how-to; it's a working document I wrote to help me remember stuff for when I get in to production with OMV4. Some may find it helpfull, useless, wrong or great; I don't care. Some may choose to use it; I don't care. I do care if you do give usefull feedback that improves on this.

      1) The system :2 virtual machines (Oracle VM Virtual Box). One for the samba AD-DC server, another for OMV, both on Debian Stretch (SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux). Both are purely test machines.
      a) Openmediavault - Self compiled OMV Arrakis Pretty basic (whatever that means) installation. Extrasorg 4.1.1 and LuksEncryption 3.0.2 plugins installed. Static IP. No reason why it shouldn't work on OMV3.
      b) The samba Server - Self compiled Samba 4.6.8. Again, pretty basic AD-DC installation as per the samba wiki using bind9 (9.10.3) as DNS.
      A few remarks (all this is not part of the "basic" installation and MAY have some effect on the outcome; point (iv) is VERY important):
      i) Disabled avahi-daemon. Hate that piece of ****
      ii) No firewall or apparmour
      iii) Machine is also dhcp server and gateway
      iv) winbind correctly configured. More on this later on
      v) I bet the Internal_DNS (as opposed to bind) would work just as well but didn't test (yet). Whatever option you use, check DNS resolution works
      vi) Dynamic DNS updates configured in dhcpd.conf. Not needed, but still...

      Some details on the samba server configuration (SAMDOM is just an EXAMPLE. Replace as needed):
      a)My smb.conf:

      Source Code

      1. [global]
      2. realm = SAMDOM.EXAMPLE
      3. workgroup = SAMDOM
      4. netbios name = DC1
      5. interfaces = lo enp0s3 enp0s8
      6. bind interfaces only = Yes
      7. server role = active directory domain controller
      8. idmap_ldb:use rfc2307 = yes
      9. log level = 2
      10. log file = /var/log/samba/samba.log
      11. server services = -dns
      Display All

      b) samba has it's own winbind(d) service. Use it. Remember to modify /etc/nsswitch.conf. Check that wbinfo -u resolves your domain users.

      Up to this point, everything is done according to the samba wiki in order to have a functional samba AD-DC server and has nothing to do with openmediavault. I can provide more details upon request.
      Now, for the OMV part.

      1) I'm lazy. I run everything as su except if otherwise required. if you're a proper sysadmin you'll have to add sudo to the following commands. I did this using ssh but the omv shell should work as well
      1.1) CAPS MATTER!!! specially as far as kerberos is concerned.
      1.2) Disable current samba server. On systemd:

      Source Code

      1. systemctl stop samba-ad-dc
      2. systemctl disable samba-ad-dc

      Source Code

      1. apt-get install winbind libpam-winbind libpam-krb5 libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools
      Some of the previous may be redundant.

      3) I also like to apt-get install htop iftop ethtool iperf3. Not needed though.

      4) Stop, disable AND mask avahi-daemon

      5) on OMV/Services/SMBCIFS:
      i) enable the service
      ii) Put SAMDOM on the Workgroup line
      iii) Add the following to "extra options"

      Source Code

      1. realm = SAMDOM.EXAMPLE
      2. winbind nss info = template
      3. server role = member server
      4. idmap config* :backend = tdb
      5. idmap config* :range = 3000-7999
      6. idmap config SAMDOM :backend = rid
      7. idmap config SAMDOM :range = 10000-999999
      8. winbind enum groups = yes
      9. winbind enum users = yes
      iv) edit /etc/krb5.conf. it should be similar to:

      Source Code

      1. [libdefaults]
      2. default_realm = SAMDOM.EXAMPLE
      3. dns_lookup_realm = false
      4. dns_lookup_kdc=true

      Again, a few remarks.
      1) I'm using the rid backend. Guess it should work with any backend but I didn't test.
      2) the range values are pretty standard, but must be configured according to your samba installation
      3) make sure /etc/hosts doesn't contain a line starting with (debian's nasty habit IMHO)
      4) make sure /etc/resolv.conf points to your samba server
      5) make sure /etc/nsswitch.conf contains winbind both on the passwd: and group:
      6) in /etc/default/winbind uncomment the line WINBINDD_OPTS = "-n"

      Let's move on
      1) create winbind links. According to samba wiki

      Source Code

      1. ln -s /usr/local/samba/lib/ /lib/x86_64-linux-gnu/
      2. ln -s /lib/x86_64-linux-gnu/ /lib/x86_64-linux-gnu/
      3. ldconfig
      2) Start services. On systemd do:

      Source Code

      1. systemctl enable nmbd
      2. systemctl start nmbd
      rinse and repeat for smbd.

      At this point you should reboot.
      3) After that check that smbd and nmbd are running and start winbind:

      Source Code

      1. systemctl status smbd
      2. systemctl status nmbd
      3. systemctl start winbind
      4. systemctl enable winbind
      5. systemctl status winbind

      Source Code

      1. kinit administrator

      Source Code

      1. net ads join -U administrator
      6) by now, getent passwd should resolve your domain users. It may take a while depending on domain size, server load, and Jupiter's alignment with Mercury.
      7) If you go to OMV/Access Rights Management/User, you should see your domain users. Same in Groups.
      8.) You can now configure access to your Shared Folders. job done

      Care to comment?
      Best regards

      The post was edited 4 times, last by camjesus2: Errors corrected and typos "untyped" ().

    • It has worked like that for years. The current ldap plugin works like that also. There is nothing wrong with it either. If you know all the info and where to put it, it's fine. Just search here and around the web to see how many have problems. Google will return many thousands. sssd and realmd were made to help this by automating at least some of it. This should make it easier for casual users and be easier to support.

      If I had the skill to write a plugin I would. The script is a crude attempt to make it easier for some. I welcome improvements from others who are more elegant than I.
      If you make it idiot proof, somebody will build a better idiot.
    • You're right of course. There is nothing essentially new in all of this. It is, as you say, a matter of collecting ALL the little pieces of information scattered around the forums, filtering the outdated posts etc... Like I said before, your (and dethegeek) post where very close to what I wanted to do. Just not quite.
      For me (I'm no expert), the hard part was getting winbind to work correctly.
      For example, winbind comes by default when you self-compile samba (which I almost always do). Apparently that's not the case if you install from repo. I didn't know this (noob mistake).
      Ah well, I for one, next time I don't remember how to do this, will know where to look (it will, then, be outdated, but still...)

      Best regards
    • I need to clean the other thread and put in some other links and then pin it. Keep thinking I will get to it. sssd seems to be what works for me and I have done it many ways over the years. I am guessing people higher up are working to automate it more.

      My cold is getting worse so I am going to bed. I will add more tomorrow.
      If you make it idiot proof, somebody will build a better idiot.