Hello
currently I can't import users from AD.
at the same time I can request info via ldapsearch and ldapwhoami.
when I do su $user - I see the traffic to my DC server.
openmediavault-ldap 4.0.6-1
openmediavault 4.1.12
Hello
currently I can't import users from AD.
at the same time I can request info via ldapsearch and ldapwhoami.
when I do su $user - I see the traffic to my DC server.
openmediavault-ldap 4.0.6-1
openmediavault 4.1.12
What kind of ad server?
ms 2008r2 standard.
I made two dumps of traffic - in the case of successful ldapsearch and unsuccessful su $user.
wireshark shows that in both cases binding is successful but searchrequest are not identical.
in the unsuccessful case searchrequest includes attributes parameters and filter option such as (&(objectClass=posixAccount)(uid=$user)).
As a result DC server returnes no result.
So I think that the cause of the failure is in the wrong search request.
I have a script in this thread that should help. https://forum.openmediavault.o…Directory-LDAP-Revisited/ Try it in a vm and see if it works. Let us know.
so the only way to import users is to join VM to AD domain.
ok, I'll test your script. I'm sure the success will happen)
I don't know if it is the only way. It is just what I found to work for me. It would be interesting if you can do it without. I did not see anything like that when I was trying to figure this out.
Returned to this issue.
And faced another one - I can't start smbd daemon.
In all cases I see such error -
smbd.service: Supervising process 24728 which is not our child. We'll most likely not notice when it exits.
smbd.service: Start operation timed out. Terminating.
smbd.service: Killing process 24728 (smbd) with signal SIGKILL.
Failed to start Samba SMB Daemon.
smbd.service: Unit entered failed state.
smbd.service: Failed with result 'timeout'.
I am not sure what steps you have done.
This looks interesting.
https://serverfault.com/posts/531247/edit
Resolved the issue with samba.
As for the ldap plugin - achieved a bit of success, without connecting OMV server to AD domain
with these additional options :
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute uid sAMAccountName
I collected traffic dump and Wireshark showed that AD server responded with all the information about users - it happened after the first searchrequest from OMV server
Then OMV made several additional rearchrequests and got zero response.
It's a strange behavior.
And I got no users in the users tab.
Any thoughts how to do further troubleshooting?
I don't fully understand how the users are synchronized with AD.
I guess the first import should create additional users and I should see changes in the files /etc/passwd, /etc/group, /etc/shadow
Now, when I try to connect, for example, to ftp server under my previously defined local user test (which is also defined in AD)
I got this -
Dec 5 14:53:56 nsk proftpd: nss_ldap: could not search LDAP server - Server is unavailable
Dec 5 14:53:56 nsk proftpd: nss_ldap: could not search LDAP server - Server is unavailable
Dec 5 14:53:56 nsk proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd14362 ruser=test rhost=192.168.79.1 user=test
Dec 5 14:53:56 nsk proftpd: pam_sss(proftpd:auth): Request to sssd failed. Connection refused
Dec 5 14:54:13 nsk proftpd[14362]: 127.0.1.1 (192.168.79.1[192.168.79.1]) - USER test (Login failed): Incorrect password
I don't know why but the binding goes with wrong credentials -
Lightweight Directory Access Protocol
LDAPMessage bindRequest(1) "<ROOT>" simple
messageID: 1
protocolOp: bindRequest (0)
bindRequest
version: 3
name:
authentication: simple (0)
simple:
[Response In: 6]
And when I try to login under user test to WEB interface of OMV, I have success
The users may not be showing because the uid are greater than 60,000. You can change that in /etc/login.defs. UID_MAX 33554431. Do the same a few lines below for group.
The users may not be showing because the uid are greater than 60,000. You can change that in /etc/login.defs. UID_MAX 33554431. Do the same a few lines below for group.
did that.
I don't know if it helped or not but now
- when I run "getent passwd" command I see only local users
- when I run "getent shadow" command I see local users and ldap users
As far as I see omv uses passwd not shadow to show the users. I have no idea how to change that. But it might be worth a feature request.
it is exactly the work of nssswitch.conf. When I remove ldap - in front of shadow - then I see no users from ldap.
And I installed ldap plugin.
As I understood one application can use nsswitch for authentication, another - pam and pam_ldap module (as for OMV it is ldap_plugin, I guess)
But how it could be chosen I don't know.
Now I'm trying to use authentication from ldap for ftp users and I see that authentication goes with nss_ldap module - with no success.
So the target is to choose what OMV (and it's parts like proftp, samba etc) uses for ldap authentication - nss_ldap or pam_ldap.
I guess the only way to do it is to remove libnss.
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!