Guide to OMV 4 Active Directory Integration

    • OMV 4.x
    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Guide to OMV 4 Active Directory Integration

      Hi Everyone,
      Just got around to upgrading to OMV 4. Wanted to share my steps to get SMB 3 share authentication working against my SAMBA AD server. Since I'm a security guy, this configuration only uses SMB 3 and Kerberos through sssd. Don't have to worry about legacy SMB protocols, weak NTLM hashes, NULL AD sessions, or plain text ldap calls.

      Install Needed Packages

      Shell-Script

      1. apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit libwbclient-sssd -y



      Edit /etc/krb5.conf
      DNS is hard; especially regarding Kerberos. You probably have to add the following to your krb5.conf file.

      Shell-Script: /etc/krb5.conf

      1. rdns = False


      Join the Domain


      Shell-Script

      1. realm join -U <AD user with Domain Join right> REALM --verbose
      For Example,

      Source Code

      1. realm join -U lucifer AD.HAIL.SATAN.COM --verbose

      Edit /etc/sssd/sssd.conf to make sure the following are set under the domain configuration.

      Shell-Script: /etc/sssd/sssd.conf

      1. use_fully_qualified_names = False
      2. fallback_homedir = /home/%u
      3. ad_gpo_access_control = permissive
      Example full sssd.conf file

      Source Code: /etc/sssd/sssd.conf

      1. [sssd]
      2. domains = ad.hail.satan.com
      3. config_file_version = 2
      4. services = nss, pam
      5. [domain/ad.hail.satan.com]
      6. ad_domain = ad.hail.satan.com
      7. krb5_realm = AD.HAIL.SATAN.COM
      8. realmd_tags = manages-system joined-with-adcli
      9. cache_credentials = True
      10. id_provider = ad
      11. krb5_store_password_if_offline = True
      12. default_shell = /bin/bash
      13. ldap_id_mapping = True
      14. use_fully_qualified_names = False
      15. fallback_homedir = /home/%u
      16. access_provider = ad
      17. enumerate = True
      18. ad_gpo_access_control = permissive
      Display All
      Edit /etc/login.defs
      Look up the uid value in your realm.

      Shell-Script

      1. root@omv:~# id lucifer
      2. uid=166640342(lucifer) gid=166642256(domain users) groups=166642256(domain users),29(sudo)


      In this example, our generated id has 9 digits, so we set the following for UID_MAX and GID_MAX in /etc/login.defs.

      Shell-Script: /etc/login.defs

      1. UID_MIN 1000
      2. UID_MAX 999999999
      3. # System accounts
      4. #SYS_UID_MIN 100
      5. #SYS_UID_MAX 999
      6. #
      7. # Min/max values for automatic gid selection in groupadd
      8. #
      9. GID_MIN 1000
      10. GID_MAX 999999999
      Display All


      SMB/CIFS Advanced Options
      Set then following under Extra Options of the Advanced Settings Div in the SMB/CIFS configuration.

      Shell-Script

      1. security = ads
      2. realm = AD.HAIL.SATAN.COM
      3. client signing = yes
      4. client use spnego = yes
      5. kerberos method = secrets and keytab
      6. obey pam restrictions = yes
      7. protocol = SMB3
      8. netbios name = omv
      9. password server = *
      10. encrypt passwords = yes
      11. winbind enum users = yes
      12. winbind enum groups = yes
      13. winbind use default domain = no
      14. idmap config SATAN : backend = rid
      15. idmap config SATAN : range = 1000-999999999999
      16. Idmap config *:backend = tdb
      17. idmap config *:range = 85000-86000
      18. template shell = /bin/sh
      19. lanman auth = no
      20. ntlm auth = yes
      21. client lanman auth = no
      22. client plaintext auth = No
      23. client NTLMv2 auth = Yes
      24. winbind refresh tickets = yes
      25. log level = 3
      26. syslog =3
      Display All


      You should now be able to see the AD users and groups in the OMV tab, and assign share permissions based on that.

      The post was edited 1 time, last by scipio_americanus ().

    • Users Online 1

      1 Guest