Great guide worked like a charm
is it possible to use this information as a LDAP server?
Great guide worked like a charm
is it possible to use this information as a LDAP server?
This is the Questions / Problems / Diskussions thread for Join a Windows 2008 R2 domain
Thanks @dethegeek for the Guide!
Yeah, great stuff. Thank you dethegeek! Will try that in the next days on a testing machine.
Yo, dee
After months i've upgraded OMV from 0.5.6 to 1.21
And the only option i needed to change was installing the missing package "libnss-winbind" to get my users back into OMV
I've updated my extra-settings and removed the deprecated idmap-entries ...
I'll test the "performance settings" again for win 8.1 and add feedback here ...
greetz
Rico
Hi
Good job, El Muchacho.
I'm happy to see the tutorial still works after so many changes in OMV
Hello everyone!.
First of all, I would like to clarify that English is not my native.
after this, thanks for the post, was very usefull for me.
chase after two-week, domain administrator achieves join the domain, I can get the list of users and groups with wbinfo..
wbinfo -u
get me like +40k Users.
olso auth and info works:
root@NasGics:~# wbinfo --authenticate=myuser
Entermyuser's password:
plaintext password authentication succeeded
Enter myuser's password:
challenge/response password authentication succeeded
root@NasGics:~# wbinfo -i mysuer
myuser:*:9400:9408::/home/myuser:/bin/bash
root@NasGics:~#
here is my problem:
show to me, only the local users. not the +40k Ad users, and obviusly cant see the AD users in the web gui.
here are my configs files:
cat /etc/krb5.conf
[libdefaults]
default_realm = republica.tasa.telefonica.com.ar
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
10.249.20.161 = {
kdc = 10.249.20.161
admin_server = 10.249.20.161
}
[domain_realm]
.tasa.telefonica.com.ar = TASA.TELEFONICA.COM.AR
tasa.telefonica.com.ar = TASA.TELEFONICA.COM.AR
[login]
krb4_convert = true
krb4_get_tickets = false
Alles anzeigen
cat /etc/samba/smb.conf
#======================= Global Settings =======================
[global]
workgroup = TASA
server string = NasGics
dns proxy = no
log level = 2
syslog = 2
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
null passwords = no
local master = no
time server = no
wins support = no
realm=tasa.telefonica.com.ar
security = ads
allow trusted domains = no
idmap config * : range = 9400-59999
winbind use default domain = true
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
winbind separator = /
winbind nested groups = yes
;winbind normalize names = yes
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%U
# Performance improvements
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
client use spnego = yes
#======================= LDAP Settings =======================
security = ads
passdb backend = ldapsam:ldap://10.249.11.13:389
ldap suffix = DC=tasa,DC=telefonica,DC=com,DC=ar
ldap admin dn = CN=NasGics,OU=Usuarios Standard,OU=Usuarios,OU=TASA,DC=tasa,DC=telefonica,DC=com,DC=ar
ldap user suffix = ou=Usuarios
ldap group suffix = ou=Grupos
ldap ssl = off
ldap passwd sync = yes
ldapsam:trusted = no
Alles anzeigen
root@NasGics:~# cat /etc/nsswitch.conf
passwd: compat files winbind ldap
group: compat files winbind ldap
shadow: compat files winbind ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Alles anzeigen
Before posting, I take a long time trying to make it work . Any suggestions are welcome,
thank you very much
Hi
First, I'd like to warn you this tutorial has not been tested (at least by me) on a huge amount of users. You should consider disabling two settings to improve performance. This is an common advice for a setup like yours.
Changing these settings will prevent you to enumerate your AD users with getent passwd and getent group though.
After reading your configuration files, I believe you're using my second tutorial, with an OpenLDAP server. Good choice if you got several linux servers or computers using shares available in your OMV server. I warn you : this is a single point of failure. I highly recommend you move OpenLDAP on a dedicate computer or VM, with a least one other OpenLDAP computer or VM, with a replication system between them. This improvement should help you to build a failure tolerant setup.
Now, about your configuration files :
I feel you merged something from my tutorial and an other source. Can you tell me which other documentation you used ? Can you also tell which version of OpenMediaVault you're using ? the settings in smb.conf will vary depending on the version of samba. I had big headache to make it work after switching to Debian Wheezy due to deprecated config lines.
I notice you added both winbind ldap in nsswitch.conf . I believe this is not necessary. winbind should be sufficient.
About your issue getent passwd returning only your local users : I had this often when I configure samba with my method. Try getent group. If it shows your groups from your AD, then try to reboot the OMV server. I noticed this is often sufficient to solve the issue (and it never occurs again).
The Tutorial is very great. I setup 2 OMV machines and it works. But there are two small problems, perhaps someone can help me.
First: One OMV machine was a new installation with version 1.17, there I can see the AD user and groups in the webGUI and can also select them for samba shares. The other OMV machine was upgraded from 0.9 to 1.17. On this machine I cannot see the AD users and groups in the webGUI. On both machines I followed the tutorial.
Second: I changed the lastname of one user in AD. The loginname has the format firstname.lastname. getent passwd shows the new login name. I restarted the server and also cleared the winbind cache but ls -l shows the old loginname. The problem now ist, that the user can login with the new loginname but have no access to the shares (samba). Login with the old username didn't work. The user id didn't changed. In this case it is 10012. chown with the new username works but ls -l shows the old username. Anywhere the user get cached but the reboot didn't solved it. Any ideas?
Hi BX787
About your first issue affecting your second OMV server : check the UID and the GID are in [UID_MIN, UID_MAX] and [GID_MIN; GID_MAX] in the file /etc/login.defs. I'll make a new tutorial with a different method for OMV 1.X and 2.x to get rid of winbind and use several domains.
For your user UID=10012, which shares your user cannot access to ? Only his homedir ?
login.defs looks fine doesn't it?
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
Alles anzeigen
The user 10012:
I tried to access every samba shares. If i use the new loginname. I get imediantly the login promt which shows an authentication failure. If i use the old login name, it takes about one minute until i get the login prompt which shows the authetication failure.
getent passwd shows the right loginname "firstname.lastname:*:10012:10000:Firstname Lastname:/home/DOMAIN/firstname.lastname:/bin/false"
but "ls -l /home/DOMAIN" shows the old loginname "drwx--S--- 6 firstname.oldlastname users 4096 Sep 4 2014 firstname.lastname"
Hi
login.defs is OK
I think you should rename the home directory to match the new username.
Check also you changed UPN and samaccountname in your AD to match your new name. Maybe you changed only one of them.
The home directory is already renamed. I also checked UPN this is firstname.lastname@domain.tld and samaccountname which is firstname.lastname. I also checked every attribute in ldap and didn't found a faulty one.
Hi
Enable user enumeration and search for your user :
File smb.conf :
Can you also give the result of these commands ?
getent passwd -s winbind | grep usernamealternatively, this should also work : getent passwd username
# will return an SID, check if it is the same as the SID in your AD
wbinfo -n username
# will convert your SID into name; replace SID by the previously found SID
wbinfo -s SID
# will return the uid of your SID; replace SID by the one you found with wbinfo -n username
wbinfo -S SID
You may also want to check wbinfo --help to find other useful diagnosis commands, if you feel some of them useful.
If all your commands returns correct values, test authentication for this user (assuming you know his password)
# will ask for a password
wbinfo -K username
If this fails, try to test authentication for an other user, just to ensure again your issue affects a signle user.
wbinfo -K otherusername
Thank you very much for your help!
Zitat
Already set.
Zitatgetent passwd -s winbind | grep usernamealternatively, this should also work : getent passwd username
getent passwd -s winbind | grep firstname
firstname.lastname:*:10012:10000:Firstname Lastname:/home/DOMAIN/firstname.lastname:/bin/false
Zitatwbinfo -n username
wbinfo -n firstname.oldlastname
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name firstname.oldlastname
wbinfo -n firstname.lastname
S-1-5-21-2801314209-1527081043-3091591741-1137 SID_USER (1)
Zitatwbinfo -s SID
Zitatwbinfo -S SID
ZitatYou may also want to check wbinfo --help to find other useful diagnosis commands, if you feel some of them useful.
wbinfo -a firstname.lastname
Enter firstname.lastname's password:
plaintext password authentication succeeded
Enter firstname.lastname's password:
challenge/response password authentication succeeded
Zitatwbinfo -K username
wbinfo -K firstname.lastname
Enter firstname.lastname's password:
plaintext kerberos password authentication for [firstname.lastname] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
ZitatIf this fails, try to test authentication for an other user, just to ensure again your issue affects a signle user.
wbinfo -K otherusername
wbinfo -K firstname.oldlastname
Enter firstname.oldlastname's password:
plaintext kerberos password authentication for [firstname.oldlastname] failed (requesting cctype: FILE)
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
Could not authenticate user [firstname.oldlastname] with Kerberos (ccache: FILE)
I think winbind and kerberos works fine. But i didn't understand why "ls -l" shows the old username as file owner but "chown newusername" works without problems. After chown with the new username "ls -l" shows the old username.
I did "ls -l" again and saw that now the username is the new one. Auth via samba now works. Either the commands above helped or a cache ttl was reached (but I already restarted the server and manually cleared the winbind cache, so i think the commands did the job).
OKAY. Again thank you for your help!
Now one problem left. I cannot see the user/groups in the webgui. Any idea?
Also solved. I can see the user and groups now but i don't know why. Perhaps the commands above or a cache ttl?
Hi
Good news your issue is solved, but this would be useful to understand what happened. In my experience winbind is sometimes unpredictable, and I saw it finaly worked well unexpectedly.
I will upgrade my OMV 0.5 to 2 in a few month, and I'll use a new method to connect to an AD / samba 4. Have a look on sssd, available at least on Debian 7. It is easier to setup, and as I read somewhere, it appears to be the preferred method.
If you want to try it, I may tell you how to set it up.
Hi,
sorry for my late answer.
Since the failure is gone both systems works very good and stable. Perhaps i will test sssd in a virtual machine if I find some time. But for now everything works and I don't know what exectly happened.
My first post after a day trying to bring OMV to talk to Clearos (Centos/RHEL) as a computer...
I think it is related to the very first post of this thread: trying to join OMV to a windows directory on a ldap/samba server.
The tutorial stops working when I try to set up kerebos as I don't have domail.local but rather a domain.lan that is outside ovm, means on clearos (where kerebos isn't running or configured)
so the kinit command won't work when I register domain.lan on setup.
With the ldap-plugin I get different SIDs on Clearos and OMV, thats why I never can connect to OMV (It's fine for users and groups, but as Clearos has it's own sambaSIDs, they don't match when I register on a user level). I just set the SID of OMV to match Clearos in ldap as a workaround - it works, but I don't think this is the way to do it?!
Is there a tutorial for joining a linux setup like this?
Do I need the kerebos stuff at all, or just the winbinds?
How do I join OMV as a Computer (there is a winadmin already on Clearos) to my LDAP setting on Clearos?
Any hints. links, help appreciated!
Bernd
OVM 1.9 with Backkernels / Clearos 6.6
Hi
The tutorial has been writen for a Microsoft AD server. However it should run with a Samba 4 domain too (I'm working on a setup based on sssd, but the former setup described in the tutorial will worlk) . I assume a Samba 3 DC will not be sufficient.
Can you provide
- the samba version running on ClearOS 6.6
- the command whick is not working
- the erreor tou get ?
Hello,
thank you for your answer.
- Yes it's samba 3.6.23-14 right now, I think Clearos7 will have Samba 4.
- the command and fail is:
root@myomv:/etc# kinit -V administrator@MYCLEAROSDOMAIN.LAN
Using default cache: /tmp/krb5cc_0
Using principal: administrator@MYCLEAROSDOMAIN.LAN
kinit: Cannot resolve servers for KDC in realm "MYCLEAROSDOMAIN.LAN" while getting initial credentials
The dns server is running on Clearos and OMV is pointing to it.
Bernd
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!