Trying to connect OMV to samba3 dc - LDAP/WINBIND

  • This is my first post - hello


    I'm facing a problem with the guide Join a Windows 2008 R2 domain with OMV
    I open a new post as my setup is not with a Windows ADS but with a samba DC.


    I managed to use this thread and other on the internet (ubuntu-wiki, Clearos forum) to join the Samba domain with a winbind setup only (no kerebos required) - hellas - smb.conf is overwritten as I checked after a few hours this evening.


    I tried to put the additional configuration in the "extra options" field but it is not working that easy.


    I can add and overwrite some settings, espacially security = user with security = domain.
    But adding the winbind lines the LDAP settings rest and - I think - are breaking the setup?!


    So the log is showing a lot of:

    Code
    smbd[4888]:   The primary group domain sid(S-1-xxx) does not match the domain sid(S-1-xxxx) for measuser(S-1-xxx)
    smbd[4888]:   check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'


    My knowledge of the linux auth technologies is limited, what would you suggest as next steps?
    Disable the LDAP plugin?
    A way to overwrite smb.conf in a better way? (disabling write for root by chmod after editing?)
    Can I 'delete' entry by overwriting the LDAP setting with nonsense to fail?


    Bernd

    OMV 2.1.1 with backport-kernel 3.16
    Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

  • Thank you for the hints.
    I think it's to late now to hack into
    /usr/share/openmediavault/mkconf/samba.d


    but I will try perhaps with a clear head tomorrow :)


    Suggestions where I don't have to - still welcome ;)

    OMV 2.1.1 with backport-kernel 3.16
    Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

  • No, I'm thinking of the 15ldap file as it is not listed in the variables-all-wiki... but I will investigate a little further.


    Upgrade change would be much better than just a change on reboot (actually I didn't even reboot, but changed the NICs configuration and perhaps then the update-config script ran?)


    When is it running anyway? Is it even running on reboot or just on changes like NICs configuration?

    OMV 2.1.1 with backport-kernel 3.16
    Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

  • Thank you subzero for joining in!


    I managed to write extra options in the "extra options field", for the ones that would not write/overwrite like that, I changed some scripts lightly in /usr/share/openmediavault/mkconf/samba.d/ .


    But I'm kind of stuck with it anyway. I can join the domain with

    Code
    net rpc join -U administrator


    But in the logs I still get:

    Code
    Jun 18 21:21:23 omv smbd[13878]:   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
    Jun 18 21:21:23 omv smbd[13878]: [2015/06/18 21:21:23.548489,  1] smbd/service.c:805(make_connection_snum)
    Jun 18 21:21:23 omv smbd[13878]:   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
    Jun 18 21:21:23 omv smbd[13878]: [2015/06/18 21:21:23.605430,  1] printing/printer_list.c:94(printer_list_get_printer)
    Jun 18 21:21:23 omv smbd[13878]:   Failed to fetch record!
    Jun 18 21:21:23 omv smbd[13878]: [2015/06/18 21:21:23.605479,  0] param/loadparm.c:8843(check_usershare_stat)
    Jun 18 21:21:23 omv smbd[13878]:   check_usershare_stat: file /var/lib/samba/usershares/ owned by uid 0 is not a regular file
    Jun 18 21:21:53 omv smbd[13902]: [2015/06/18 21:21:53.003322,  1] smbd/service.c:805(make_connection_snum)
    Jun 18 21:21:53 omv smbd[13902]:   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED


    continued by the service.c fails.


    Winbind comands are working from OMV. I can "see" the shares from a desktop computer, but I cannot open them.
    pam.d - problem?


    I found the plugin https://github.com/OpenMediaVa…diavault-active-directory
    but I haven't found much info about it. Would it be worth a try? Even for a Samba DC setup?


    One more thing: how is afp interfering with all of that? Mostly through the pam.d - scripts? (My mac is saying the timemachine share did change since the last time... I still can login though)

    OMV 2.1.1 with backport-kernel 3.16
    Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

    Einmal editiert, zuletzt von lebernd ()

  • Hi


    Samba manages its own set of users. They are different of those you find in linux / OMV. The first thing you have to do is to configure linux / OMV to access the users managed by Samba 3 /Samba 4 or a Windows AD. You got 2 main options : winbind provided by samba, and sssd which I'm currently learning to use (I think it is better than winbind, and I hope to be ready soon to share a tutorial about it).


    Can you show the extra setings you provided to OMV ?

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi,


    what I did:
    Filled the "extra options" like this


    Like this OMV "extra options" won't process two lines to set into GLOBAL:

    Code
    netbios name = OMV
    template homedir = /home/%D/%U


    I disabled in /usr/share/openmediavault/mkconf/samba.d the 15ldap routine by just adding another exit command:

    Code
    [ "$(omv_config_get "//services/smb/enable")" = "0" -o \
    "$(omv_config_get "//services/ldap/enable")" = "1" ] && exit 0


    and added the two lines to 10global with

    Code
    -o "...." -n \


    The /etc/nsswitch.conf I edited to match winbind (and by the way, afp cared about the changes @subzero79. I (user=x) connect with different UID/GID through this change.)


    After all, perhaps it was more the pam.d setting that didn't work out. I somehow - as it got late - mixed things form your thread (the pam-auth-update) with the settings from https://www.clearos.com/suppor…ation_to_the_samba_domain


    But as there where to many places I made changes I haven't had nether the patience nor a good idea where to continue the work.
    (So the first time when I edited smb.conf, nsswitch.conf and the pam.d files with your how-to and the clearos-how-to, it worked for me but got overwritten half an hour later so that I haven't even made copies of the working files...)

    OMV 2.1.1 with backport-kernel 3.16
    Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

  • After reading the documentation you mention I notice that it has been tested on a rather old version of Ubuntu. As I'm rarely use this distro, I don't know whock version of Samba is provided here. This is very important because the idmap settings syntax changed a *LOT* between samba 3.5 and 3.6.6 (provided by Wheezy). Moreover, this has changed several times from a revision to an other. This is real mess....


    As OMV runs on debian you do not need to bother with pam.d/common-* files. Pam-auth-update will do the magic for you. Just enable winbind in the TUI and enjoy.


    First : check the version of Samba you got on your OMV, this is probably 3.6.6 because you're running Wheezy. Using wheezy-backports may affect that (I hope it will not... as I did not tested an later revision).


    I think the setting netbios name will be useless. netbios is obsolete for years (probably since windows 2000 server), and you should try to rely only on a DNS service rather than maintaining netbios. Comment it out for now.


    About password server : if the DNS server of your network is correctly configured, you should set it to like this : password server = *. If you change the name of your ADS server, you will not have to change this setting.


    As you are able to progress by yourself, have a look on this page (in french) : https://howto-it.dethegeek.eu.…MB_et_NFS#Configuration_3


    This is my setup for a Wheezy domain member. Read all the idmap settings, this is probably what you need. However it os configured for a LDAP backent, and I'm not sure there is a LDAP server on your ClearOS. If I'm right, you will have to change the backend to something more appropriate.


    The most important is :
    the group of settings : idmap config * ; for all non declared domains by the other groups
    the group of settings idmap config YOURDOMAIN : the settings for your domain


    I think you will be able to do something with that and the official SAMBA documentation before I read your next posts. (use man smb.conf and the online docs).


    One thing again : in py toturial on this forum you will find many commands to test the settings step by step. I think some tests are missing but those I gave should help you to debug your setup.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

    Einmal editiert, zuletzt von dethegeek ()

  • Thank you!
    I will keep reading and trying - I don't think this weekend or week but I will try again...-


    The samba version on both sides is now 3.6 (Clearos is 3.6.23-14.el6_6 - OMV is 3.6.6-6+deb7u5)
    - Clearos has a LDAP server running and I use the OMV-LDAP-plugin to connect to it and for managing users on both systems.


    For my understanding:I don't really understand the interaction of LDAP and Winbind though...
    Clearos installs with samba windows groups and a winadmin account. Everything (?) is registered in LDAP, also the SID of the Domain and several other sambaXXX entrys for users, groups, computers.
    (That's why I get a mismatch of SIDs when I just use LDAP and security = user, because my user (imported form Clearos LDAP) is trying to connect to OMV with the Clearos SambaDomainSID ?! Or the other way around? It's confusing me...)


    So what's the correct use of winbind on OMV? I read that there are at least three different ways to manage the idmap range?!
    TDB, LDAP, RID... something else? TDB being a local database? RID is?
    (TDB is what OMV uses normally?) When I use the "password server = *" - this will connect Winbind on OMV to Clearos LDAP (winbind entries?) ?


    Ok, I guess I have to read the samba docs closely... Thank you for your work here, I appreciate it a lot.


    Bernd

    OMV 2.1.1 with backport-kernel 3.16
    Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

  • Hi


    I'm coming back, sorry for the very long delay; I'm way too busy.


    There is no best way to use winbind on OMV. I believe there are lots of considerations depending on your knowledge, the file server implemetnation and the DCs implementation.


    I'm having some good (first) results with sssd and realmd, which should be useful for you. Here are my notes (consider this is a draft which may contain some small issues) https://howto-it.dethegeek.eu.…ation_d.27un_client_Linux


    The client part you should read is rather short and easy to follow, and realmd does most of the hard work. I will test very soon this method on OMV (with some packages from Jessie).


    Compared to my previous setup with an external LDAP implementation, the new method is way easier, less error prone, it should work well for both Microsoft and Samba domains and is easier to apply on non debian based flavors.. I think this should be interesting for you.


    To answer your question about the mappings :
    TDB = a local id mapping for each computer (UID and GID may vary from a computer to an other and this is what you DON'T want)
    LDAP = centralized mapping, beut you already have a LDAP. I think this will add weakness to your infrastructure
    RID = amlgorithm based mapping. Each computer will maintain its own mapping, but UIDs and GIDs shoud be the same by design. I think this not for me, and probably not for many others administrators. This is a personal opinion without any experience. I may be slightly wrong about its descripton. Check the documentation.


    I believe one of the best ways is to maintain the IDs in the Directory if available. In your case ClearOs does this with its integrated LDAP. you should check it is RFC2307 compliant. If so, sssd may work. Read the docs about realmd; this is very short, straightforward. If it does not works, you will lose few time compared to a pure samba / winbind setup.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!