Hi Everyone,
Just got around to upgrading to OMV 4. Wanted to share my steps to get SMB 3 share authentication working against my SAMBA AD server. Since I'm a security guy, this configuration only uses SMB 3 and Kerberos through sssd. Don't have to worry about legacy SMB protocols, weak NTLM hashes, NULL AD sessions, or plain text ldap calls.
Install Needed Packages
apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit libwbclient-sssd -y
Edit /etc/krb5.conf
DNS is hard; especially regarding Kerberos. You probably have to add the following to your krb5.conf file.
Join the Domain
For Example,
Edit /etc/sssd/sssd.conf to make sure the following are set under the domain configuration.
use_fully_qualified_names = False
fallback_homedir = /home/%u
ad_gpo_access_control = permissive
Example full sssd.conf file
[sssd]
domains = ad.hail.satan.com
config_file_version = 2
services = nss, pam
[domain/ad.hail.satan.com]
ad_domain = ad.hail.satan.com
krb5_realm = AD.HAIL.SATAN.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
enumerate = True
ad_gpo_access_control = permissive
Alles anzeigen
Edit /etc/login.defs
Look up the uid value in your realm.
root@omv:~# id lucifer
uid=166640342(lucifer) gid=166642256(domain users) groups=166642256(domain users),29(sudo)
In this example, our generated id has 9 digits, so we set the following for UID_MAX and GID_MAX in /etc/login.defs.
UID_MIN 1000
UID_MAX 999999999
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 999999999
Alles anzeigen
SMB/CIFS Advanced Options
Set then following under Extra Options of the Advanced Settings Div in the SMB/CIFS configuration.
security = ads
realm = AD.HAIL.SATAN.COM
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
obey pam restrictions = yes
protocol = SMB3
netbios name = omv
password server = *
encrypt passwords = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
idmap config SATAN : backend = rid
idmap config SATAN : range = 1000-999999999999
Idmap config *:backend = tdb
idmap config *:range = 85000-86000
template shell = /bin/sh
lanman auth = no
ntlm auth = yes
client lanman auth = no
client plaintext auth = No
client NTLMv2 auth = Yes
winbind refresh tickets = yes
log level = 3
syslog =3
Alles anzeigen
You should now be able to see the AD users and groups in the OMV tab, and assign share permissions based on that.