Join a Windows 2008 R2 domain

    • OMV 1.0
    • core

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Join a Windows 2008 R2 domain

      Join a Windows 2008R2 domain

      Requirements
      OpenMediaVault 1.0 or higher

      Description
      With Guide you are able to join a Windows domain with your OMV.
      The major benefit with OMV 1.0 is the ability to choose a uid/gid range with higher values.

      PRE-Configuration
      • LAB description
      1 ESXi 5 host with some virtual machines :
      1 windows 2008 R2 ad domain controller
      1 OpenMediaVault 1.0.20
      1 windows 7 64 bits member of the 2008 R2 domain

      the domain controller has DNS and DHCP roles
      Openmediavault has 1 ethernet interface configured with DHCP

      • Settings
      Domain is : domain.local
      windows 2008R2 hostname : srv-dc-01
      omv hostname : omv
      • Customizations or what you need to adapt to YOUR needs
      a way to synchronize time between your DC, your OMV server and your domain member computers
      the domain name (and therefore the workgroup)
      the directory containing homedirs (probably something line /media/30fcb748-ad1e-4228-af2f-951e8e7b56df/YOURWORKGRP)


      OMV Configuration
      • Check IP configuration
      Openmediavault has a DHCP assigned IP address. You should check its hostname and name resolution

      Source Code

      1. omv:/# host domain.local
      2. domain.local has address 192.168.0.10
      3. omv:/# hostname -f
      4. omv.domain.local


      • Check time and NTP
      The LAB environment runs ESXi : time is synced on each VM boot and is sufficient for testing purpose. In production environment use VMware Tools and time sync agains the ESXi host or use NTP.

      • Install required packages

      Source Code

      1. apt-get update
      2. apt-get install krb5-user krb5-clients libpam-krb5 winbind libnss-winbind

      You will asked for kerberos default domain : DOMAIN.LOCAL

      • Kerberos configuration
      Runs out of the box with default configuration. However you may edit /etc/krb5.conf as the following

      Source Code

      1. [libdefaults]
      2. default_realm = DOMAIN.LOCAL
      3. ticket_lifetime = 600
      4. dns_lookup_realm = yes
      5. dns_lookup_kdc = yes
      6. renew_lifetime = 7d
      7. ; allow_weak_crypto = true
      8. # The following krb5.conf variables are only for MIT Kerberos.
      9. ; krb4_config = /etc/krb.conf
      10. ; krb4_realms = /etc/krb.realms
      11. ; kdc_timesync = 1
      12. ; ccache_type = 4
      13. ; forwardable = true
      14. ; proxiable = true
      15. # The following encryption type specification will be used by MIT Kerberos
      16. # if uncommented. In general, the defaults in the MIT Kerberos code are
      17. # correct and overriding these specifications only serves to disable new
      18. # encryption types as they are added, creating interoperability problems.
      19. #
      20. # Thie only time when you might need to uncomment these lines and change
      21. # the enctypes is if you have local software that will break on ticket
      22. # caches containing ticket encryption types it doesn't know about (such as
      23. # old versions of Sun Java).
      24. # Pour Windows Server 2008 R2 (seems not required)
      25. ; default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      26. ; default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      27. ; permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      28. # Pour Windows Server 2003 (not tested agains windows 2003 server yet, and this server is deprecated)
      29. ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      30. ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      31. ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
      32. [kdc]
      33. profile = /etc/krb5kdc/kdc.conf
      34. [logging]
      35. kdc = FILE:/var/log/krb5kdc.log
      36. admin_server = FILE:/var/log/kadmin.log
      37. default = FILE:/var/log/krb5lib.log
      Display All


      • Test kerberos settings
      kinit -V administrator (at) DOMAIN.LOCAL

      Give administrator password


      Test you got a ticket: klist
      (Sample-)Output:

      Source Code

      1. Ticket cache: FILE:/tmp/krb5cc_0
      2. Default principal: administrator (at) DOMAIN.LOCAL
      3. Valid starting Expires Service principal
      4. 01/28/13 13:28:58 01/28/13 13:38:58 krbtgt/DOMAIN.LOCAL (at) DOMAIN.LOCAL



      Destroy all tickets (and check with klist): kdestroy

      • SAMBA settings
      In OMV webGUI :
      1. enable SAMBA
      2. set Workgroup : DOMAIN
      3. tick "Enable user home directories". You may also tick "Set browseable".
      4. add extra options :

      Source Code

      1. password server = *
      2. realm = DOMAIN.LOCAL
      3. security = ads
      4. allow trusted domains = no
      5. idmap config * : range = 9400-59999
      6. winbind use default domain = true
      7. winbind offline logon = false
      8. winbind enum users = yes
      9. winbind enum groups = yes
      10. winbind separator = /
      11. winbind nested groups = yes
      12. ;winbind normalize names = yes
      13. winbind refresh tickets = yes
      14. template shell = /bin/bash
      15. template homedir = /home/%U
      16. # Performance improvements
      17. socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      18. client ntlmv2 auth = yes
      19. client use spnego = yes
      Display All


      :!: Read this post if you're under windows 8 to try a performance enhancement : forums.openmediavault.org/view…f=3&t=1493&p=24413#p24366

      Test samba configuration: testparm

      Disable winbind cache
      edit /etc/default/winbind and uncomment the following

      Source Code

      1. #WINBINDD_OPTS = "-n"

      restart samba and winbind

      Source Code

      1. service samba stop
      2. service winbind restart
      3. service samba start


      :!: This step is not required
      If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX as the following

      Source Code

      1. UID_MAX 60000
      2. GID_MAX 60000

      Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group .

      • Join the domain
      Argument createcomputer allows you to create the computer's account in an organisational unit (OU) and is not required.

      Source Code

      1. omv:/# net ads join -U administrator createcomputer=servers/linux
      2. Enter administrator's password:
      3. Using short domain name -- DOMAIN
      4. Joined 'OMV' to realm 'domain.local'


      • Enable authentication with winbind
      edit /etc/nsswitch.conf

      Source Code

      1. passwd: compat winbind
      2. shadow: compat
      3. group: compat winbind


      ldconfig

      • Check users and groups enumeration
      getent passwd (you get local and AD users lists)
      getent group (you get local and AD groups lists)

      • Enable mkhomedir and umask
      create the file /usr/share/pam-configs/my_mkhomedir with the following content

      Source Code

      1. Name: Activate mkhomedir
      2. Default: yes
      3. Priority: 900
      4. Session-Type: Additional
      5. Session:
      6. required pam_mkhomedir.so umask=0077 skel=/etc/skel


      umask argument for mkhomedir didn't worked for me. pam_umask.so seems be a better option. Create the file /usr/share/pam-configs/umask with the following

      Source Code

      1. Name: Activate umask
      2. Default: yes
      3. Priority: 800
      4. Session-Type: Additional
      5. Session:
      6. optional pam_umask.so umask=0077


      Run the command pam-auth-update, enable Activate mkhomedir and Activate umask. The items Kerberos authentication, Unix authentication and Winbind NT/Active Directory authentication should be already enabled.

      • Fix domain folder permission
      In SMB/CIFS, extra confguration the special variable %D is used to distinguish domain users from OMV's local users. A folder will becreated upon first domain user connexion. However the folder will not allow domain users to traverse the folder and access their home directory. This need a fix. Create the folder where template homedir expects to find it, and adjust the owners and permissions. If your active directory contains a white space, ensure to escape it with a backslash.

      Source Code

      1. mkdir /home/DOMAIN
      2. chmod 0755 /home/DOMAIN
      3. chown root:domain\ users DOMAIN


      • SSH login for AD users
      In OMV webGUI enable SSH, disable root login (prefer su and sudo) and add this in Extra Options :
      AllowGroups root ssh "domain users"

      Please check "domain users is enclosed by double quotes and check this is the group name available in windows 2008 R2 (I'm french and I'm using a french windows 2008R2 : groups and users names are localized)

      • Login against SMB or SSH
      don't prefix username with domain. (eg: not DOMAIN.LOCAL/administrator; use administrator only)



      Questions / Problems / Diskussions
      Feel free to post in this: Join a Windows 2008 R2 domain with OMV thread.

      Version 1.1 // 26.11.2014

      The post was edited 2 times, last by WastlJ ().