My Network is not that big. My Domaincontroller is a Raspberry Pi, running with Samba 4 as Domain Controller.
SMB/Cifs is setup like in the quote.
net ads testjoin gives following output:
So you have an idea where the error could be?
My Network is not that big. My Domaincontroller is a Raspberry Pi, running with Samba 4 as Domain Controller.
SMB/Cifs is setup like in the quote.
net ads testjoin gives following output:
So you have an idea where the error could be?
I mainly test against a 2008 sbs server. You may have better luck with this thread. https://forum.openmediavault.o…-Active-Directory-domain/ It uses realmd which may work better for samba. I tried to use that but had no luck with windows.
Good luck
With over 4800 views and not a lot of errors reported I am thinking of making this sticky. I will clean and update the first post. Any objections?
Any objections?
Nope
Hello,
I hope i'm not too late to ask but, i'm having a problem joining the domain. Uhh, what exactly should I put in the General Settings: Workgroup under SMB/CIFS? Thank you
Please enter the domain you wish to join: UPPER CASE?
<DOMAIN.COM>
Please enter a domain admin login to use:
omv.nas
If join fails please check /etc/nsswitch.conf and /etc/krb5.conf
Password for omv.nas@<DOMAIN.COM>:
Failed to join domain: failed to find DC for domain WORKGROUP
root@openmediavault:~#
What is your active directory type? Failed to join domain: failed to find DC for domain WORKGROUP suggests you didn't set the workgroup on the SMB\CIFS settings page. You also need to add some info to the extras section. Customize it to your domain.
### Add below in extra options
### Change server name and realm to match yours
#Extra Options
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
password server = mustang.example.com
realm = EXAMPLE.COM
security = ads
Thanks for testing
Uhm, my LDAP Server is FreeIPA (CentOS) and the info to the extras section were added already. Anyway, i'm a lil confused on what to put at password server and realm, should it be like the first one or the second one?
I would guess the first one. I only have win sbs2008 to test against. You may also look at this, it may work better for you. https://forum.openmediavault.o…-Active-Directory-domain/ It uses realmd that I could not get working with my setup.
Thank you @donh. I'm still having issues though.. not sure if I should post it here or in the other thread xD
root@openmediavault:~# realm discover -v domain.com
* Resolving: _ldap._tcp.domain.com
* Performing LDAP DSE lookup on: <ldap_ip>
* Successfully discovered: domain.com
domain.com
type: kerberos
realm-name: DOMAIN.COM
domain-name: domain.com
configured: no
server-software: ipa
client-software: sssd
root@openmediavault:~# realm -v join domain.com -U omv.nas --membership-software=adcli
* Resolving: _ldap._tcp.domain.com
* Performing LDAP DSE lookup on: <ldap_ip>
* Successfully discovered: domain.com
Password for omv.nas:
! Unsupported or unknown membership software 'adcli'
realm: Couldn't join realm: Unsupported or unknown membership software 'adcli'
root@openmediavault:~# realm -v join domain.com -U omv.nas --server-software=ipa
* Resolving: _ldap._tcp.domain.com
* Performing LDAP DSE lookup on: <ldap_ip>
* Successfully discovered: domain.com
Password for omv.nas:
realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
root@openmediavault:~# realm -v join domain.com -U omv.nas --client-software=sssd
* Resolving: _ldap._tcp.domain.com
* Performing LDAP DSE lookup on: <ldap_ip>
* Successfully discovered: domain.com
Password for omv.nas:
realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
Alles anzeigen
root@openmediavault:~# realm -v join domain.com -U omv.nas --client-software=sssd Did you set the domain on the network page for omv? I think it should be root@openmediavault:~# realm -v join domain.com -U omv.domain.com --client-software=sssd
You can ask in either thread. The goal is to get it into omv 4 and a plugin in 3. The more feedback the better.
Yes, I did.
Hostname: | openmediavault |
Domain: | domain.local |
LDAP - ipa.domain.com
OMV - openmediavault.domain.local
I received the same error as shown above. Does firewall has something to do with this? No?
root@openmediavault:~# realm -v join domain.com -U openmediavault.domain.local --client-software=sssd
* Resolving: _ldap._tcp.domain.com
* Performing LDAP DSE lookup on: <ldap_ip>
* Successfully discovered: domain.com
Password for openmediavault.domain.local:
realm: Couldn't join realm: Message did not receive a reply (timeout by message bus)
-U openmediavault.domain.local Shouldn't that be a user like admin or administrator?admin@domain.local or domain\admin
I see freeipa has a demo site. If I get a chance I will setup a vm and try to join it.
Ahh, yes. My bad. realm -v join domain.com -U omv.nas --client-software=sssd was included in my last last post.. I also tried --server-software=ipa but still get the same error.
I see freeipa has a demo site. If I get a chance I will setup a vm and try to join it.
Oh, cool. Thank you
I was not able to connect to the demo site from omv. Dns issue I think. I did setup a fedora vm and was able to connect to the demo site with these instructions. https://www.freeipa.org/page/Demo Maybe you could setup a vm and try it? Then compare config files. Seems sssd does support freeipa nicely.
[domain/demo1.freeipa.org]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = demo1.freeipa.org
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = fedora26.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.demo1.freeipa.org
dns_discovery_domain = demo1.freeipa.org
[sssd]
services = nss, sudo, pam, ssh
domains = demo1.freeipa.org
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
Alles anzeigen
That is sssd.conf. As you can see it has ipa settings. Looks like you might even be able to administer the users on the ipa server.
I see. Okay, will do. Thanks
Any luck? I see there is a freeipa-client available in unstable so help is on the way. It requires a few more packages to update tho.
A freeipa link that may be of interest.
freeipa-client from third party repo. Probably wont make into omv but could show settings required. Try it in a vm
http://clusterfrak.com/sysops/app_installs/freeipa_clients/
Fix this line echo -e 'deb http://apt.hgb.fr jessie main' >> /etc/apt/sources.list to echo -e 'deb http://apt.numeezy.fr jessie main' >> /etc/apt/sources.list
Still can't connect to the demo site tho.
I've been doing some playing around with the FreeIPA side of things, and I think I have some good news and some bad news -
The good news is I've successfully gotten an OMV install joined to an IPA domain with an AD trust, and I'm able to ssh in via AD users. So far, all users and groups that appear in FreeIPA show up as expected in the Web UI - although they're not directly editable.
The bad news is that Samba/CIFS isn't working - and I don't think it's going to be any time soon. OMV's version of samba has known incompatibility issues with FreeIPA due to how they handle Kerberos authentication. Debian (and thus OMV) uses the Heimdal version of Kerberos, and RHEL/CentOS (and thus FreeIPA) use the MIT version. The server can otherwise be configured successfully - even appearing in the Network Browser on Windows clients - but upon trying to authenticate a host it fails with krb5_init_context_failed messages in the server logs.
Samba 4.7 is possibly set to fix this, but it'll be a while before that hits Debian Stable. Worse, the unstable and testing versions aren't built with MIT support enabled - so you have to compile it yourself. And that's where I'm at right now, but I've not been having much success - it's now killing the process when a client tries to connect. I'll admit I'm now over my head, so my failures at this point don't really mean anything. Since the current version works with everything except my Windows systems, the current fallback plan is to just share via NFS to a CentOS/RHEL VM on the same box, and then host Samba from there.
Either way, here's the method I've been using to get the FreeIPA link going on a fresh install of OMV:
Zitat von AkujinNoNinjinAlles anzeigenThe FreeIPA client has been pulled from Debian Stretch, and is currently only available via alternate repositories like the numeezy repo mentioned by @donh above:
wget -qO - http://apt.numeezy.fr/numeezy.asc | apt-key add -
echo -e 'deb http://apt.numeezy.fr jessie main' >> /etc/apt/sources.list
Install the required packages:
apt-get install sssd realmd libpam-sss libnss-sss sssd-tools freeipa-client libsss-sudo policykit-1 packagekit
Use realmd to find and join the domain, which fills in *most* of the config for you and sets up the IPA auth. If the join fails due to an authentication error, you probably need to run a kinit admin for a Kerberos ticket first.
realm discover -v domain.com
realm -v join domain.com
# (enter admin password)
Stop the SSSD service, and edit /etc/sssd/sssd.conf. Realmd should have set the *_provider entries to IPA, as well as the ipa_domain, ipa_hostname and ipa_server names. Note: elsewhere in the thread people mention using ldap_* entries for various reasons (eg ldap_idmap_range, ldap_user_search_base). These are *only* applicable to an ldap setup -IPA has a different set of sssd.conf entries.
Under [domain\domain.com] add enumerate = true - this can cause some lag on first connection, but appears to be necessary to have users appear in WebUI
Under [sssd] change "services= sudo, ssh" to "services= sudo, ssh, nss, pam"
Double check /etc/nsswitch.conf got updated by realm:
Codepasswd: compat sss group: compat sss shadow: compat sss ... services: db files sss ... netgroup: nis sss
service sssd restart
getent passwd and getent group should now return results for domain users and groups, but they still won't show in the Web GUI. For that, you need to edit /etc/login.defs and raise max_GID and max_UID to numbers higher than your FreeIPA server will ever assign - FreeIPA WebGUI > IPA Server > ID Ranges. For my setup, that meant changing both from 60000 to 2000000000. After that, everything should also appear in OMV. Samba/CIFS should still be *disabled*.
I am not sure but if users show in the web ui you may be there. Are users and groups in acl and privileges?
They do indeed, and so far everything except CIFS/Samba is working as expected. Samba config so far has been ultimately unsuccessful, with the closest I've gotten being the above mentioned krb5_init_context_failed messages when attempting to authorize a client.
In tracing those, I came across several recent threads mentioning that the FreeIPA client port is built against libraries known to be incompatible with Debian's samba, causing them to misinterpret each others requests. I believe this is why FreeIPA was pulled from stretch in the first place.
There's also no real ETA for the fix - the freeIPA devs don't officially support Debian, and the Debian Samba team have other priorities - although the 4.7 update looks promising.
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!