Guide to OMV 4 Active Directory Integration

    • OMV 4.x
    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Guide to OMV 4 Active Directory Integration

      Hi Everyone,
      Just got around to upgrading to OMV 4. Wanted to share my steps to get SMB 3 share authentication working against my SAMBA AD server. Since I'm a security guy, this configuration only uses SMB 3 and Kerberos through sssd. Don't have to worry about legacy SMB protocols, weak NTLM hashes, NULL AD sessions, or plain text ldap calls.

      Install Needed Packages

      Shell-Script

      1. apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit libwbclient-sssd -y



      Edit /etc/krb5.conf
      DNS is hard; especially regarding Kerberos. You probably have to add the following to your krb5.conf file.

      Shell-Script: /etc/krb5.conf

      1. rdns = False


      Join the Domain


      Shell-Script

      1. realm join -U <AD user with Domain Join right> REALM --verbose
      For Example,

      Source Code

      1. realm join -U lucifer AD.HAIL.SATAN.COM --verbose

      Edit /etc/sssd/sssd.conf to make sure the following are set under the domain configuration.

      Shell-Script: /etc/sssd/sssd.conf

      1. use_fully_qualified_names = False
      2. fallback_homedir = /home/%u
      3. ad_gpo_access_control = permissive
      Example full sssd.conf file

      Source Code: /etc/sssd/sssd.conf

      1. [sssd]
      2. domains = ad.hail.satan.com
      3. config_file_version = 2
      4. services = nss, pam
      5. [domain/ad.hail.satan.com]
      6. ad_domain = ad.hail.satan.com
      7. krb5_realm = AD.HAIL.SATAN.COM
      8. realmd_tags = manages-system joined-with-adcli
      9. cache_credentials = True
      10. id_provider = ad
      11. krb5_store_password_if_offline = True
      12. default_shell = /bin/bash
      13. ldap_id_mapping = True
      14. use_fully_qualified_names = False
      15. fallback_homedir = /home/%u
      16. access_provider = ad
      17. enumerate = True
      18. ad_gpo_access_control = permissive
      Display All
      Edit /etc/login.defs
      Look up the uid value in your realm.

      Shell-Script

      1. root@omv:~# id lucifer
      2. uid=166640342(lucifer) gid=166642256(domain users) groups=166642256(domain users),29(sudo)


      In this example, our generated id has 9 digits, so we set the following for UID_MAX and GID_MAX in /etc/login.defs.

      Shell-Script: /etc/login.defs

      1. UID_MIN 1000
      2. UID_MAX 999999999
      3. # System accounts
      4. #SYS_UID_MIN 100
      5. #SYS_UID_MAX 999
      6. #
      7. # Min/max values for automatic gid selection in groupadd
      8. #
      9. GID_MIN 1000
      10. GID_MAX 999999999
      Display All


      SMB/CIFS Advanced Options
      Set then following under Extra Options of the Advanced Settings Div in the SMB/CIFS configuration.

      Shell-Script

      1. security = ads
      2. realm = AD.HAIL.SATAN.COM
      3. client signing = yes
      4. client use spnego = yes
      5. kerberos method = secrets and keytab
      6. obey pam restrictions = yes
      7. protocol = SMB3
      8. netbios name = omv
      9. password server = *
      10. encrypt passwords = yes
      11. winbind enum users = yes
      12. winbind enum groups = yes
      13. winbind use default domain = no
      14. idmap config SATAN : backend = rid
      15. idmap config SATAN : range = 1000-999999999999
      16. Idmap config *:backend = tdb
      17. idmap config *:range = 85000-86000
      18. template shell = /bin/sh
      19. lanman auth = no
      20. ntlm auth = yes
      21. client lanman auth = no
      22. client plaintext auth = No
      23. client NTLMv2 auth = Yes
      24. winbind refresh tickets = yes
      25. log level = 3
      26. syslog =3
      Display All


      You should now be able to see the AD users and groups in the OMV tab, and assign share permissions based on that.

      The post was edited 1 time, last by scipio_americanus ().

    • scipio_americanus, I just built a new Windows 10 computer and my OMV 4 NAS doesn't show up in the Network section of the File Explorer. I read it has something to do with SMB v1 being removed by MS. If I enter \\<mynasmname> into the address bar of File Explorer, the shared folders do show up and I can map them to drive letters. Will your scripts solve the issue? Do I need to use them all? Or is there some changes I can make to Windows to solve the problem? I don't understand what the scripts are doing, so I would just be doing a copy and paste.
    • First, a big thank you to @scipio_americanus for writing this up. It seems there are many roads to travel to integrate AD and OMV but, all lead to a dead-end. This seemed so clear-cut and being new I thought was going to work but, alas I've hit another dead-end.

      I don't suppose someone could tell me how to troubleshoot step 2 - the joining domain part. This is what I get:

      Source Code

      1. root@OMV-VM10:~# realm join -U administrator MYDOMAIN.local --verbose
      2. * Resolving: _ldap._tcp.mydomain.local
      3. * Resolving: mydomain.local
      4. * No results: mydomain.local
      5. realm: Cannot join this realm
      6. root@OMV-VM10:~#
      7. root@OMV-VM10:~# host mydomain.local
      8. mydomain.local has address 221.21.21.3
      9. mydomain.local has IPv6 address 2002:dd15:1503::dd15:1503
      10. mydomain.local has IPv6 address 2002:dd15:1550::dd15:1550
      11. root@OMV-VM10:~# hostname -f
      12. OMV-VM10.mydomain.local
      Display All

      OMV version:

      Source Code

      1. root@OMV-VM10:~# uname -a
      2. Linux OMV-VM10 4.17.0-0.bpo.1-amd64 #1 SMP Debian 4.17.8-1~bpo9+1 (2018-07-23) x86_64 GNU/Linux

      My domain controller is a Windows Server 2008 R2 (fully patched).

      Any help will be greatly appreciated!!

      Thanks,
      Charles
    • Active directory is very dependent on dns. root@OMV-VM10:~# realm join -U administrator MYDOMAIN.local --verbose
      * Resolving: _ldap._tcp.mydomain.local
      * Resolving: mydomain.local
      * No results: mydomain.local
      realm: Cannot join this realm
      root@OMV-VM10:~#


      root@OMV-VM10:~# host mydomain.local
      mydomain.local has address 221.21.21.3
      mydomain.local has IPv6 address 2002:dd15:1503::dd15:1503
      mydomain.local has IPv6 address 2002:dd15:1550::dd15:1550
      root@OMV-VM10:~# hostname -f
      OMV-VM10.mydomain.local
      Seems dns can't find mydomain.local. Try with the ip address. Look at /etc/nsswitch.conf and move dns ahead of mdns.

      Active Directory / LDAP Revisited
      If you make it idiot proof, somebody will build a better idiot.
    • Users Online 2

      2 Guests