Trying to connect OMV to samba3 dc - LDAP/WINBIND

    • OMV 1.0
    • Trying to connect OMV to samba3 dc - LDAP/WINBIND

      This is my first post - hello

      I'm facing a problem with the guide Join a Windows 2008 R2 domain with OMV
      I open a new post as my setup is not with a Windows ADS but with a samba DC.

      I managed to use this thread and other on the internet (ubuntu-wiki, Clearos forum) to join the Samba domain with a winbind setup only (no kerebos required) - hellas - smb.conf is overwritten as I checked after a few hours this evening.

      I tried to put the additional configuration in the "extra options" field but it is not working that easy.

      I can add and overwrite some settings, espacially security = user with security = domain.
      But adding the winbind lines the LDAP settings rest and - I think - are breaking the setup?!

      So the log is showing a lot of:

      Source Code

      1. smbd[4888]: The primary group domain sid(S-1-xxx) does not match the domain sid(S-1-xxxx) for measuser(S-1-xxx)
      2. smbd[4888]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'


      My knowledge of the linux auth technologies is limited, what would you suggest as next steps?
      Disable the LDAP plugin?
      A way to overwrite smb.conf in a better way? (disabling write for root by chmod after editing?)
      Can I 'delete' entry by overwriting the LDAP setting with nonsense to fail?

      Bernd
      OMV 2.1.1 with backport-kernel 3.16
      Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)
    • I don't have experience with AD or a DC. But if you want to change some samba defaults in omv look at environment variables.
      wiki.openmediavault.org/index.…tle=Environment_Variables
      wiki.openmediavault.org/index.…Environment_Variables/all
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • No, I'm thinking of the 15ldap file as it is not listed in the variables-all-wiki... but I will investigate a little further.

      Upgrade change would be much better than just a change on reboot (actually I didn't even reboot, but changed the NICs configuration and perhaps then the update-config script ran?)

      When is it running anyway? Is it even running on reboot or just on changes like NICs configuration?
      OMV 2.1.1 with backport-kernel 3.16
      Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)
    • Thank you subzero for joining in!

      I managed to write extra options in the "extra options field", for the ones that would not write/overwrite like that, I changed some scripts lightly in /usr/share/openmediavault/mkconf/samba.d/ .

      But I'm kind of stuck with it anyway. I can join the domain with

      Source Code

      1. net rpc join -U administrator

      But in the logs I still get:

      Source Code

      1. Jun 18 21:21:23 omv smbd[13878]: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
      2. Jun 18 21:21:23 omv smbd[13878]: [2015/06/18 21:21:23.548489, 1] smbd/service.c:805(make_connection_snum)
      3. Jun 18 21:21:23 omv smbd[13878]: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
      4. Jun 18 21:21:23 omv smbd[13878]: [2015/06/18 21:21:23.605430, 1] printing/printer_list.c:94(printer_list_get_printer)
      5. Jun 18 21:21:23 omv smbd[13878]: Failed to fetch record!
      6. Jun 18 21:21:23 omv smbd[13878]: [2015/06/18 21:21:23.605479, 0] param/loadparm.c:8843(check_usershare_stat)
      7. Jun 18 21:21:23 omv smbd[13878]: check_usershare_stat: file /var/lib/samba/usershares/ owned by uid 0 is not a regular file
      8. Jun 18 21:21:53 omv smbd[13902]: [2015/06/18 21:21:53.003322, 1] smbd/service.c:805(make_connection_snum)
      9. Jun 18 21:21:53 omv smbd[13902]: create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

      continued by the service.c fails.

      Winbind comands are working from OMV. I can "see" the shares from a desktop computer, but I cannot open them.
      pam.d - problem?

      I found the plugin github.com/OpenMediaVault-Plug…diavault-active-directory
      but I haven't found much info about it. Would it be worth a try? Even for a Samba DC setup?

      One more thing: how is afp interfering with all of that? Mostly through the pam.d - scripts? (My mac is saying the timemachine share did change since the last time... I still can login though)
      OMV 2.1.1 with backport-kernel 3.16
      Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

      The post was edited 1 time, last by lebernd ().

    • Hi

      Samba manages its own set of users. They are different of those you find in linux / OMV. The first thing you have to do is to configure linux / OMV to access the users managed by Samba 3 /Samba 4 or a Windows AD. You got 2 main options : winbind provided by samba, and sssd which I'm currently learning to use (I think it is better than winbind, and I hope to be ready soon to share a tutorial about it).

      Can you show the extra setings you provided to OMV ?
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups
    • Hi,

      what I did:
      Filled the "extra options" like this

      Source Code

      1. security = domain
      2. netbios name = OMV
      3. password server = mysystem.lan
      4. idmap uid = 10000000-19999999
      5. idmap gid = 10000000-19999999
      6. winbind use default domain = yes
      7. template shell = /bin/bash
      8. template homedir = /home/%D/%U
      9. domain master = no
      10. winbind enum users = yes
      11. winbind enum groups = yes
      12. add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
      Display All

      Like this OMV "extra options" won't process two lines to set into GLOBAL:

      Source Code

      1. netbios name = OMV
      2. template homedir = /home/%D/%U

      I disabled in /usr/share/openmediavault/mkconf/samba.d the 15ldap routine by just adding another exit command:

      Source Code

      1. [ "$(omv_config_get "//services/smb/enable")" = "0" -o \
      2. "$(omv_config_get "//services/ldap/enable")" = "1" ] && exit 0

      and added the two lines to 10global with

      Source Code

      1. -o "...." -n \


      The /etc/nsswitch.conf I edited to match winbind (and by the way, afp cared about the changes @subzero79. I (user=x) connect with different UID/GID through this change.)

      After all, perhaps it was more the pam.d setting that didn't work out. I somehow - as it got late - mixed things form your thread (the pam-auth-update) with the settings from clearos.com/support/documentat…ation_to_the_samba_domain

      But as there where to many places I made changes I haven't had nether the patience nor a good idea where to continue the work.
      (So the first time when I edited smb.conf, nsswitch.conf and the pam.d files with your how-to and the clearos-how-to, it worked for me but got overwritten half an hour later so that I haven't even made copies of the working files...)
      OMV 2.1.1 with backport-kernel 3.16
      Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)
    • After reading the documentation you mention I notice that it has been tested on a rather old version of Ubuntu. As I'm rarely use this distro, I don't know whock version of Samba is provided here. This is very important because the idmap settings syntax changed a *LOT* between samba 3.5 and 3.6.6 (provided by Wheezy). Moreover, this has changed several times from a revision to an other. This is real mess....

      As OMV runs on debian you do not need to bother with pam.d/common-* files. Pam-auth-update will do the magic for you. Just enable winbind in the TUI and enjoy.

      First : check the version of Samba you got on your OMV, this is probably 3.6.6 because you're running Wheezy. Using wheezy-backports may affect that (I hope it will not... as I did not tested an later revision).

      I think the setting netbios name will be useless. netbios is obsolete for years (probably since windows 2000 server), and you should try to rely only on a DNS service rather than maintaining netbios. Comment it out for now.

      About password server : if the DNS server of your network is correctly configured, you should set it to like this : password server = *. If you change the name of your ADS server, you will not have to change this setting.

      As you are able to progress by yourself, have a look on this page (in french) : howto-it.dethegeek.eu.org/inde…MB_et_NFS#Configuration_3

      This is my setup for a Wheezy domain member. Read all the idmap settings, this is probably what you need. However it os configured for a LDAP backent, and I'm not sure there is a LDAP server on your ClearOS. If I'm right, you will have to change the backend to something more appropriate.

      The most important is :
      the group of settings : idmap config * ; for all non declared domains by the other groups
      the group of settings idmap config YOURDOMAIN : the settings for your domain

      I think you will be able to do something with that and the official SAMBA documentation before I read your next posts. (use man smb.conf and the online docs).

      One thing again : in py toturial on this forum you will find many commands to test the settings step by step. I think some tests are missing but those I gave should help you to debug your setup.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

      The post was edited 1 time, last by dethegeek ().

    • Thank you!
      I will keep reading and trying - I don't think this weekend or week but I will try again...-

      The samba version on both sides is now 3.6 (Clearos is 3.6.23-14.el6_6 - OMV is 3.6.6-6+deb7u5)
      - Clearos has a LDAP server running and I use the OMV-LDAP-plugin to connect to it and for managing users on both systems.

      For my understanding:I don't really understand the interaction of LDAP and Winbind though...
      Clearos installs with samba windows groups and a winadmin account. Everything (?) is registered in LDAP, also the SID of the Domain and several other sambaXXX entrys for users, groups, computers.
      (That's why I get a mismatch of SIDs when I just use LDAP and security = user, because my user (imported form Clearos LDAP) is trying to connect to OMV with the Clearos SambaDomainSID ?! Or the other way around? It's confusing me...)

      So what's the correct use of winbind on OMV? I read that there are at least three different ways to manage the idmap range?!
      TDB, LDAP, RID... something else? TDB being a local database? RID is?
      (TDB is what OMV uses normally?) When I use the "password server = *" - this will connect Winbind on OMV to Clearos LDAP (winbind entries?) ?

      Ok, I guess I have to read the samba docs closely... Thank you for your work here, I appreciate it a lot.

      Bernd
      OMV 2.1.1 with backport-kernel 3.16
      Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)
    • Hi

      I'm coming back, sorry for the very long delay; I'm way too busy.

      There is no best way to use winbind on OMV. I believe there are lots of considerations depending on your knowledge, the file server implemetnation and the DCs implementation.

      I'm having some good (first) results with sssd and realmd, which should be useful for you. Here are my notes (consider this is a draft which may contain some small issues) howto-it.dethegeek.eu.org/inde…ation_d.27un_client_Linux

      The client part you should read is rather short and easy to follow, and realmd does most of the hard work. I will test very soon this method on OMV (with some packages from Jessie).

      Compared to my previous setup with an external LDAP implementation, the new method is way easier, less error prone, it should work well for both Microsoft and Samba domains and is easier to apply on non debian based flavors.. I think this should be interesting for you.

      To answer your question about the mappings :
      TDB = a local id mapping for each computer (UID and GID may vary from a computer to an other and this is what you DON'T want)
      LDAP = centralized mapping, beut you already have a LDAP. I think this will add weakness to your infrastructure
      RID = amlgorithm based mapping. Each computer will maintain its own mapping, but UIDs and GIDs shoud be the same by design. I think this not for me, and probably not for many others administrators. This is a personal opinion without any experience. I may be slightly wrong about its descripton. Check the documentation.

      I believe one of the best ways is to maintain the IDs in the Directory if available. In your case ClearOs does this with its integrated LDAP. you should check it is RFC2307 compliant. If so, sssd may work. Read the docs about realmd; this is very short, straightforward. If it does not works, you will lose few time compared to a pure samba / winbind setup.
      My wiki : http://howto-it.dethegeek.eu.org

      = latest setup =
      proxmox VE 5 hypervisor back to my good C2D setup
      guests : OpenWRT (VM), OMV 3 (VM), Samba 4 domain controller (LXC)
      OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

      Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups