Join a Windows 2008 R2 domain with OMV

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Join a Windows 2008 R2 domain with OMV

      This is the Questions / Problems / Diskussions thread for Join a Windows 2008 R2 domain
      Thanks @dethegeek for the Guide!
      OMV stoneburner | HP Microserver | 256GB Samsung 830 SSD for system | 4x 2TB in a RAID5
      OMV erasmus| Odroid XU4 | 5TB Data drive | 500GB Backup drive

      The post was edited 1 time, last by WastlJ ().

    • Yeah, great stuff. Thank you dethegeek! Will try that in the next days on a testing machine.
      Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
      Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
      Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts
    • Hi

      @Sunnyg : this guide is not intended to make OMV a LDAP server because an AD is already a LDAP server :)

      Why do you need a LDAP server in OMV ? Is this only to build a directory without a closed source software (I mean : windows ) ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Yo, dee ;)
      After months i've upgraded OMV from 0.5.6 to 1.21

      And the only option i needed to change was installing the missing package "libnss-winbind" to get my users back into OMV ;)
      I've updated my extra-settings and removed the deprecated idmap-entries ...
      I'll test the "performance settings" again for win 8.1 and add feedback here ...

      greetz

      Rico
      running OMV 2.2.1
      with : SnapRAID - AUFS - TVheadend
    • Hi

      Good job, El Muchacho.

      I'm happy to see the tutorial still works after so many changes in OMV ;)
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Hello everyone!.
      First of all, I would like to clarify that English is not my native.
      after this, thanks for the post, was very usefull for me.

      chase after two-week, domain administrator achieves join the domain, I can get the list of users and groups with wbinfo..

      wbinfo -u
      get me like +40k Users.

      olso auth and info works:

      Source Code

      1. root@NasGics:~# wbinfo --authenticate=myuser
      2. Entermyuser's password:
      3. plaintext password authentication succeeded
      4. Enter myuser's password:
      5. challenge/response password authentication succeeded
      6. root@NasGics:~# wbinfo -i mysuer
      7. myuser:*:9400:9408::/home/myuser:/bin/bash
      8. root@NasGics:~#


      here is my problem:

      Source Code

      1. root@NasGics:~# getent passwd

      show to me, only the local users. not the +40k Ad users, and obviusly cant see the AD users in the web gui.

      here are my configs files:

      Source Code

      1. cat /etc/krb5.conf
      2. [libdefaults]
      3. default_realm = republica.tasa.telefonica.com.ar
      4. # The following krb5.conf variables are only for MIT Kerberos.
      5. krb4_config = /etc/krb.conf
      6. krb4_realms = /etc/krb.realms
      7. kdc_timesync = 1
      8. ccache_type = 4
      9. forwardable = true
      10. proxiable = true
      11. v4_instance_resolve = false
      12. v4_name_convert = {
      13. host = {
      14. rcmd = host
      15. ftp = ftp
      16. }
      17. plain = {
      18. something = something-else
      19. }
      20. }
      21. fcc-mit-ticketflags = true
      22. [realms]
      23. 10.249.20.161 = {
      24. kdc = 10.249.20.161
      25. admin_server = 10.249.20.161
      26. }
      27. [domain_realm]
      28. .tasa.telefonica.com.ar = TASA.TELEFONICA.COM.AR
      29. tasa.telefonica.com.ar = TASA.TELEFONICA.COM.AR
      30. [login]
      31. krb4_convert = true
      32. krb4_get_tickets = false
      Display All




      Source Code

      1. cat /etc/samba/smb.conf
      2. #======================= Global Settings =======================
      3. [global]
      4. workgroup = TASA
      5. server string = NasGics
      6. dns proxy = no
      7. log level = 2
      8. syslog = 2
      9. log file = /var/log/samba/log.%m
      10. max log size = 1000
      11. syslog only = yes
      12. panic action = /usr/share/samba/panic-action %d
      13. encrypt passwords = true
      14. passdb backend = tdbsam
      15. obey pam restrictions = yes
      16. unix password sync = no
      17. passwd program = /usr/bin/passwd %u
      18. passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
      19. pam password change = yes
      20. socket options = TCP_NODELAY IPTOS_LOWDELAY
      21. guest account = nobody
      22. load printers = no
      23. disable spoolss = yes
      24. printing = bsd
      25. printcap name = /dev/null
      26. unix extensions = yes
      27. wide links = no
      28. create mask = 0777
      29. directory mask = 0777
      30. use sendfile = yes
      31. aio read size = 16384
      32. aio write size = 16384
      33. null passwords = no
      34. local master = no
      35. time server = no
      36. wins support = no
      37. realm=tasa.telefonica.com.ar
      38. security = ads
      39. allow trusted domains = no
      40. idmap config * : range = 9400-59999
      41. winbind use default domain = true
      42. winbind offline logon = false
      43. winbind enum users = yes
      44. winbind enum groups = yes
      45. winbind separator = /
      46. winbind nested groups = yes
      47. ;winbind normalize names = yes
      48. winbind refresh tickets = yes
      49. template shell = /bin/bash
      50. template homedir = /home/%U
      51. # Performance improvements
      52. socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
      53. client ntlmv2 auth = yes
      54. client use spnego = yes
      55. #======================= LDAP Settings =======================
      56. security = ads
      57. passdb backend = ldapsam:ldap://10.249.11.13:389
      58. ldap suffix = DC=tasa,DC=telefonica,DC=com,DC=ar
      59. ldap admin dn = CN=NasGics,OU=Usuarios Standard,OU=Usuarios,OU=TASA,DC=tasa,DC=telefonica,DC=com,DC=ar
      60. ldap user suffix = ou=Usuarios
      61. ldap group suffix = ou=Grupos
      62. ldap ssl = off
      63. ldap passwd sync = yes
      64. ldapsam:trusted = no
      Display All


      Source Code

      1. root@NasGics:~# cat /etc/nsswitch.conf
      2. passwd: compat files winbind ldap
      3. group: compat files winbind ldap
      4. shadow: compat files winbind ldap
      5. hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
      6. networks: files
      7. protocols: db files
      8. services: db files
      9. ethers: db files
      10. rpc: db files
      11. netgroup: nis
      Display All





      Before posting, I take a long time trying to make it work ?( . Any suggestions are welcome,
      thank you very much
    • Hi

      First, I'd like to warn you this tutorial has not been tested (at least by me) on a huge amount of users. You should consider disabling two settings to improve performance. This is an common advice for a setup like yours.

      Source Code

      1. winbind enum users = no
      2. winbind enum groups = no


      Changing these settings will prevent you to enumerate your AD users with getent passwd and getent group though.

      After reading your configuration files, I believe you're using my second tutorial, with an OpenLDAP server. Good choice if you got several linux servers or computers using shares available in your OMV server. I warn you : this is a single point of failure. I highly recommend you move OpenLDAP on a dedicate computer or VM, with a least one other OpenLDAP computer or VM, with a replication system between them. This improvement should help you to build a failure tolerant setup.

      Now, about your configuration files :

      I feel you merged something from my tutorial and an other source. Can you tell me which other documentation you used ? Can you also tell which version of OpenMediaVault you're using ? the settings in smb.conf will vary depending on the version of samba. I had big headache to make it work after switching to Debian Wheezy due to deprecated config lines.

      I notice you added both winbind ldap in nsswitch.conf . I believe this is not necessary. winbind should be sufficient.

      About your issue getent passwd returning only your local users : I had this often when I configure samba with my method. Try getent group. If it shows your groups from your AD, then try to reboot the OMV server. I noticed this is often sufficient to solve the issue (and it never occurs again).
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • The Tutorial is very great. I setup 2 OMV machines and it works. But there are two small problems, perhaps someone can help me.

      First: One OMV machine was a new installation with version 1.17, there I can see the AD user and groups in the webGUI and can also select them for samba shares. The other OMV machine was upgraded from 0.9 to 1.17. On this machine I cannot see the AD users and groups in the webGUI. On both machines I followed the tutorial.

      Second: I changed the lastname of one user in AD. The loginname has the format firstname.lastname. getent passwd shows the new login name. I restarted the server and also cleared the winbind cache but ls -l shows the old loginname. The problem now ist, that the user can login with the new loginname but have no access to the shares (samba). Login with the old username didn't work. The user id didn't changed. In this case it is 10012. chown with the new username works but ls -l shows the old username. Anywhere the user get cached but the reboot didn't solved it. Any ideas?
    • Hi BX787

      About your first issue affecting your second OMV server : check the UID and the GID are in [UID_MIN, UID_MAX] and [GID_MIN; GID_MAX] in the file /etc/login.defs. I'll make a new tutorial with a different method for OMV 1.X and 2.x to get rid of winbind and use several domains.

      For your user UID=10012, which shares your user cannot access to ? Only his homedir ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • login.defs looks fine doesn't it?

      Source Code

      1. #
      2. # Min/max values for automatic uid selection in useradd
      3. #
      4. UID_MIN 1000
      5. UID_MAX 60000
      6. # System accounts
      7. #SYS_UID_MIN 100
      8. #SYS_UID_MAX 999
      9. #
      10. # Min/max values for automatic gid selection in groupadd
      11. #
      12. GID_MIN 1000
      13. GID_MAX 60000
      Display All


      The user 10012:
      I tried to access every samba shares. If i use the new loginname. I get imediantly the login promt which shows an authentication failure. If i use the old login name, it takes about one minute until i get the login prompt which shows the authetication failure.

      getent passwd shows the right loginname "firstname.lastname:*:10012:10000:Firstname Lastname:/home/DOMAIN/firstname.lastname:/bin/false"

      but "ls -l /home/DOMAIN" shows the old loginname "drwx--S--- 6 firstname.oldlastname users 4096 Sep 4 2014 firstname.lastname"
    • Hi

      login.defs is OK

      I think you should rename the home directory to match the new username.
      Check also you changed UPN and samaccountname in your AD to match your new name. Maybe you changed only one of them.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Hi

      Enable user enumeration and search for your user :
      File smb.conf :

      Source Code

      1. winbind enum users = yes


      Can you also give the result of these commands ?

      getent passwd -s winbind | grep usernamealternatively, this should also work : getent passwd username
      # will return an SID, check if it is the same as the SID in your AD
      wbinfo -n username

      # will convert your SID into name; replace SID by the previously found SID
      wbinfo -s SID

      # will return the uid of your SID; replace SID by the one you found with wbinfo -n username
      wbinfo -S SID

      You may also want to check wbinfo --help to find other useful diagnosis commands, if you feel some of them useful.

      If all your commands returns correct values, test authentication for this user (assuming you know his password)
      # will ask for a password
      wbinfo -K username

      If this fails, try to test authentication for an other user, just to ensure again your issue affects a signle user.
      wbinfo -K otherusername
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Thank you very much for your help!

      Enable user enumeration and search for your user :
      File smb.conf :

      Source Code

      1. winbind enum users = yes

      Already set.


      getent passwd -s winbind | grep usernamealternatively, this should also work : getent passwd username

      Source Code

      1. getent passwd -s winbind | grep firstname
      2. firstname.lastname:*:10012:10000:Firstname Lastname:/home/DOMAIN/firstname.lastname:/bin/false


      wbinfo -n username

      Source Code

      1. wbinfo -n firstname.oldlastname
      2. failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
      3. Could not lookup name firstname.oldlastname
      4. wbinfo -n firstname.lastname
      5. S-1-5-21-2801314209-1527081043-3091591741-1137 SID_USER (1)


      wbinfo -s SID

      Source Code

      1. wbinfo -s S-1-5-21-2801314209-1527081043-3091591741-1137
      2. DOMAIN\firstname.lastname 1


      wbinfo -S SID

      Source Code

      1. wbinfo -S S-1-5-21-2801314209-1527081043-3091591741-1137
      2. 10012


      You may also want to check wbinfo --help to find other useful diagnosis commands, if you feel some of them useful.

      Source Code

      1. wbinfo -a firstname.lastname
      2. Enter firstname.lastname's password:
      3. plaintext password authentication succeeded
      4. Enter firstname.lastname's password:
      5. challenge/response password authentication succeeded


      wbinfo -K username

      Source Code

      1. wbinfo -K firstname.lastname
      2. Enter firstname.lastname's password:
      3. plaintext kerberos password authentication for [firstname.lastname] succeeded (requesting cctype: FILE)
      4. credentials were put in: FILE:/tmp/krb5cc_0


      If this fails, try to test authentication for an other user, just to ensure again your issue affects a signle user.
      wbinfo -K otherusername

      Source Code

      1. wbinfo -K firstname.oldlastname
      2. Enter firstname.oldlastname's password:
      3. plaintext kerberos password authentication for [firstname.oldlastname] failed (requesting cctype: FILE)
      4. error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
      5. error message was: No such user
      6. Could not authenticate user [firstname.oldlastname] with Kerberos (ccache: FILE)


      I think winbind and kerberos works fine. But i didn't understand why "ls -l" shows the old username as file owner but "chown newusername" works without problems. After chown with the new username "ls -l" shows the old username.

      I did "ls -l" again and saw that now the username is the new one. Auth via samba now works. Either the commands above helped or a cache ttl was reached (but I already restarted the server and manually cleared the winbind cache, so i think the commands did the job).

      OKAY. Again thank you for your help!

      Now one problem left. I cannot see the user/groups in the webgui. Any idea?

      Also solved. I can see the user and groups now but i don't know why. Perhaps the commands above or a cache ttl?

      The post was edited 2 times, last by BX787 ().

    • Hi

      Good news your issue is solved, but this would be useful to understand what happened. In my experience winbind is sometimes unpredictable, and I saw it finaly worked well unexpectedly.

      I will upgrade my OMV 0.5 to 2 in a few month, and I'll use a new method to connect to an AD / samba 4. Have a look on sssd, available at least on Debian 7. It is easier to setup, and as I read somewhere, it appears to be the preferred method.

      If you want to try it, I may tell you how to set it up.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • My first post after a day trying to bring OMV to talk to Clearos (Centos/RHEL) as a computer...

      I think it is related to the very first post of this thread: trying to join OMV to a windows directory on a ldap/samba server.

      The tutorial stops working when I try to set up kerebos as I don't have domail.local but rather a domain.lan that is outside ovm, means on clearos (where kerebos isn't running or configured)

      so the kinit command won't work when I register domain.lan on setup.

      With the ldap-plugin I get different SIDs on Clearos and OMV, thats why I never can connect to OMV (It's fine for users and groups, but as Clearos has it's own sambaSIDs, they don't match when I register on a user level). I just set the SID of OMV to match Clearos in ldap as a workaround - it works, but I don't think this is the way to do it?!

      Is there a tutorial for joining a linux setup like this?

      Do I need the kerebos stuff at all, or just the winbinds?

      How do I join OMV as a Computer (there is a winadmin already on Clearos) to my LDAP setting on Clearos?

      Any hints. links, help appreciated!

      Bernd

      OVM 1.9 with Backkernels / Clearos 6.6
      OMV 2.1.1 with backport-kernel 3.16
      Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)
    • Hi

      The tutorial has been writen for a Microsoft AD server. However it should run with a Samba 4 domain too (I'm working on a setup based on sssd, but the former setup described in the tutorial will worlk) . I assume a Samba 3 DC will not be sufficient.

      Can you provide
      - the samba version running on ClearOS 6.6
      - the command whick is not working
      - the erreor tou get ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Hello,

      thank you for your answer.
      - Yes it's samba 3.6.23-14 right now, I think Clearos7 will have Samba 4.
      - the command and fail is:

      Source Code

      1. root@myomv:/etc# kinit -V administrator@MYCLEAROSDOMAIN.LAN
      2. Using default cache: /tmp/krb5cc_0
      3. Using principal: administrator@MYCLEAROSDOMAIN.LAN
      4. kinit: Cannot resolve servers for KDC in realm "MYCLEAROSDOMAIN.LAN" while getting initial credentials


      The dns server is running on Clearos and OMV is pointing to it.

      Bernd
      OMV 2.1.1 with backport-kernel 3.16
      Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

      The post was edited 1 time, last by lebernd ().