OMV vs Active Directory

  • Hi all,
    i've install OMV over Debian 6.
    Debian was joined to the AD before OMV was installed (the configuaration is the same like on other debian already joinded times ago)
    Everything about the AD is ok on the console; wbinfo -t answers that the check of secret is ok, wbinfo -u find all users in the AD, wbinfo -g too...
    But, in the OMV GUI, it's seams it's working, but not at all....
    I've not install the LDAP Plugin because when i've tried, it was worst !
    In the section about users/groups, i can see all groups, but in users, just the local one's.
    i've tuned /etc/login.defs and /etc/samba/smb.conf about the UID/GID min/max because the OMV GUI returns something like a timeout when i try to bronwse users/groups. Now, i tuned the min/max like the origin.
    So now, some users (like me !) can access SMB shares and some others can not.


    Any ideas ????
    Do i need to install LDAP Plugin ?
    Is there a way to filter User/group from the AD ? because, i've got trusted relationships and i don't need user/groups from the trusted domains...


    The system is running on a HP Proliant DL 360 G4 with smart array 6400 and MSA500. The system is on the internal array (mirroiring) and the data on the MSA500 array of 14x72Go SCSI disks in RAID 5 (Each RAID is hardware) . SNMP is activated with HP agents for Centreon monitoring. Everything working like a charm, LAN transfers over SMB are very fast.


    Thanks in advance, sorry for my english, i'm french.
    THOMAS.

    • Offizieller Beitrag

    This can be done without the ldap plugin. Not sure what you did but it looks like most of it is working. Did you modify nsswitch.conf? Does dns resolve everything at the OMV and on the server? Is the time set?


    OMV will modify things when you make changes at the gui. See this bugtracker. http://bugtracker.openmediavault.org/view.php?id=707 The paste below is what I did and it worked on .5 too. I am not a tech writer but if you got this far you can probably follow it. Read it all first.


  • Hello,
    thank you.


    The time is set manually (some problems with ntpdate grrrrr)
    the domain lookup is ok.


    here's the krb5.conf :


    And the smb.conf :


    these lines are set in SMB section under the OMV GUI :


    I've verified on this afternoon between this configuration and another one on our freeradius sever and it's the same...


    The max UID/GID are set in /etc/login.defs....


    If you have any idea...
    Thank you
    THOMAS

  • add-on.


    getend passwd don't work, but getent group is working....


    here's the /etc/nsswitch.conf :

  • Hello,
    Thank you.


    OMV side :


    AD/DNS server side :


    Everything seems ok.


    The OMV server is Debian 6.0.9 with OMV 0.5.44.
    The clients are Windows XP,2003 and 7 and my laptop running Ubuntu 13.04....


    Here's some messages form OMV logs :

    Code
    Apr 16 13:28:16 nasun01 smbd[10723]: PAM (samba) illegal module type: kaccount
    Apr 16 13:28:16 nasun01 smbd[10723]: PAM (other) illegal module type: kaccount


    And this :


    I dont understand....


    Thank you in advance.


    THOMAS

  • Re,


    I'd just reboot OMV.
    And now..... i don't know if it feels better or whorst !!!
    The "simple" users cant browse files on the NAS, but not me !
    getent passwd and getent group are working.
    I can browse groups in the GUI but i can't browse users --> error, like a timeout.
    getent users return 1544 users, it's maybe the reason of this error.


    here's the definition of a share i made ( trough the GUI ) :


    i'm in the "gg_administrateurs_partages" group and the users are in "gg_h_un_prepresse" and/or "gg_t_un_social" groups.


    by the way, now i can't edit ACL or privileges any more, it returns the same error like users browsing...


    Some days ago, i've browse config files in one of our synology NAS, and the configuration seems the same....


    Thank you in advance,


    THOMAS

    • Offizieller Beitrag

    What version of server are you using as dc, 2003r2? I have not tested against that. Couple of things I am not sure of from your configs:
    smb.conf
    password server = * I don't have these lines
    idmap config DOMAIN : backend = rid
    idmap config DOMAIN : range = 16777216-33554431


    my nsswitch.conf looks like this
    passwd: files winbind ldap
    group: files winbind ldap
    shadow: files winbind ldap
    hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
    networks: files


    protocols: db files
    services: db files
    ethers: db files
    rpc: db files


    netgroup: nis

  • Hi,
    Thanks for your help
    I've remove idmap cache time and i've already change winbind cache time to 3600 yestarday.
    Today, i've noticed 2 things :
    1. On my ubuntu laptop (joined in the same AD ), i can access all the shares (i have all the persmissions !)
    2. On my Windows 7 desktop; on some share i've got a denied message and on the others ones, i've get a dialog to log whit differents ID.
    The "simple users" can always browse the shares.


    A share definition of a "denied" access :


    And a share definition of a share asking for differents credentials :


    Now, the smb.conf is like :


    Most clients are Windows 7 (few mac or linux) and the DC servers are Windows 2003 R2 32 and 64 bits (with extensions for Exchange ).
    Thanks.
    THOMAS.

  • Hello,


    So, i've modified the config many and many times.... i've create a proxmox CT with a fresh debian7 running to try differents configurations of smb and krb5.
    Everything seems ok, joining AD is ok and i cant get users and groups lists, but in the OMV GUI, i cant list users and so i cant edit my shares privileges/ACL.


    In the syslog, i see different messages :


    Code
    172.20.0.109 (172.20.0.109) connect to service Journal initially as user XXXXXX+yyyyyy (uid=16778415, gid=16777729) (pid 4408)


    but, i get a denied message on my Windows client (Journal is a shared folder).
    And , this one :

    Code
    winbindd/winbindd_ads.c:214(query_user_list)   Not a user account? atype=0x30000000


    many many times


    Is anyone have a idea...
    Thanx

    • Offizieller Beitrag

    Don't have a .5 running anymore but this worked on a .6 I was having trouble on. Can't remember the samba version of .5 so it may not apply. Added this to the smb extra options.

    Code
    idmap config * : range = 10000-20000
        idmap config * : backend = tdb
        idmap config MYDOMAIN : default = yes
        idmap config MYDOMAIN : range = 100000-200000
        idmap config MYDOMAIN : backend = rid


    I found that here. https://lists.samba.org/archiv…/2012-January/165732.html It started working after that so I have not read the rest of it.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!