Guide to OMV 4 Active Directory Integration

    • OMV 4.x
    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Guide to OMV 4 Active Directory Integration

      Hi Everyone,
      Just got around to upgrading to OMV 4. Wanted to share my steps to get SMB 3 share authentication working against my SAMBA AD server. Since I'm a security guy, this configuration only uses SMB 3 and Kerberos through sssd. Don't have to worry about legacy SMB protocols, weak NTLM hashes, NULL AD sessions, or plain text ldap calls.

      Install Needed Packages

      Shell-Script

      1. apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit libwbclient-sssd -y



      Edit /etc/krb5.conf
      DNS is hard; especially regarding Kerberos. You probably have to add the following to your krb5.conf file.

      Shell-Script: /etc/krb5.conf

      1. rdns = False


      Join the Domain


      Shell-Script

      1. realm join -U <AD user with Domain Join right> REALM --verbose
      For Example,

      Source Code

      1. realm join -U lucifer AD.HAIL.SATAN.COM --verbose

      Edit /etc/sssd/sssd.conf to make sure the following are set under the domain configuration.

      Shell-Script: /etc/sssd/sssd.conf

      1. use_fully_qualified_names = False
      2. fallback_homedir = /home/%u
      3. ad_gpo_access_control = permissive
      Example full sssd.conf file

      Source Code: /etc/sssd/sssd.conf

      1. [sssd]
      2. domains = ad.hail.satan.com
      3. config_file_version = 2
      4. services = nss, pam
      5. [domain/ad.hail.satan.com]
      6. ad_domain = ad.hail.satan.com
      7. krb5_realm = AD.HAIL.SATAN.COM
      8. realmd_tags = manages-system joined-with-adcli
      9. cache_credentials = True
      10. id_provider = ad
      11. krb5_store_password_if_offline = True
      12. default_shell = /bin/bash
      13. ldap_id_mapping = True
      14. use_fully_qualified_names = False
      15. fallback_homedir = /home/%u
      16. access_provider = ad
      17. enumerate = True
      18. ad_gpo_access_control = permissive
      Display All
      Edit /etc/login.defs
      Look up the uid value in your realm.

      Shell-Script

      1. root@omv:~# id lucifer
      2. uid=166640342(lucifer) gid=166642256(domain users) groups=166642256(domain users),29(sudo)


      In this example, our generated id has 9 digits, so we set the following for UID_MAX and GID_MAX in /etc/login.defs.

      Shell-Script: /etc/login.defs

      1. UID_MIN 1000
      2. UID_MAX 999999999
      3. # System accounts
      4. #SYS_UID_MIN 100
      5. #SYS_UID_MAX 999
      6. #
      7. # Min/max values for automatic gid selection in groupadd
      8. #
      9. GID_MIN 1000
      10. GID_MAX 999999999
      Display All


      SMB/CIFS Advanced Options
      Set then following under Extra Options of the Advanced Settings Div in the SMB/CIFS configuration.

      Shell-Script

      1. security = ads
      2. realm = AD.HAIL.SATAN.COM
      3. client signing = yes
      4. client use spnego = yes
      5. kerberos method = secrets and keytab
      6. obey pam restrictions = yes
      7. protocol = SMB3
      8. netbios name = omv
      9. password server = *
      10. encrypt passwords = yes
      11. winbind enum users = yes
      12. winbind enum groups = yes
      13. winbind use default domain = no
      14. idmap config SATAN : backend = rid
      15. idmap config SATAN : range = 1000-999999999999
      16. Idmap config *:backend = tdb
      17. idmap config *:range = 85000-86000
      18. template shell = /bin/sh
      19. lanman auth = no
      20. ntlm auth = yes
      21. client lanman auth = no
      22. client plaintext auth = No
      23. client NTLMv2 auth = Yes
      24. winbind refresh tickets = yes
      25. log level = 3
      26. syslog =3
      Display All


      You should now be able to see the AD users and groups in the OMV tab, and assign share permissions based on that.

      The post was edited 1 time, last by scipio_americanus ().

    • scipio_americanus, I just built a new Windows 10 computer and my OMV 4 NAS doesn't show up in the Network section of the File Explorer. I read it has something to do with SMB v1 being removed by MS. If I enter \\<mynasmname> into the address bar of File Explorer, the shared folders do show up and I can map them to drive letters. Will your scripts solve the issue? Do I need to use them all? Or is there some changes I can make to Windows to solve the problem? I don't understand what the scripts are doing, so I would just be doing a copy and paste.
    • First, a big thank you to @scipio_americanus for writing this up. It seems there are many roads to travel to integrate AD and OMV but, all lead to a dead-end. This seemed so clear-cut and being new I thought was going to work but, alas I've hit another dead-end.

      I don't suppose someone could tell me how to troubleshoot step 2 - the joining domain part. This is what I get:

      Source Code

      1. root@OMV-VM10:~# realm join -U administrator MYDOMAIN.local --verbose
      2. * Resolving: _ldap._tcp.mydomain.local
      3. * Resolving: mydomain.local
      4. * No results: mydomain.local
      5. realm: Cannot join this realm
      6. root@OMV-VM10:~#
      7. root@OMV-VM10:~# host mydomain.local
      8. mydomain.local has address 221.21.21.3
      9. mydomain.local has IPv6 address 2002:dd15:1503::dd15:1503
      10. mydomain.local has IPv6 address 2002:dd15:1550::dd15:1550
      11. root@OMV-VM10:~# hostname -f
      12. OMV-VM10.mydomain.local
      Display All

      OMV version:

      Source Code

      1. root@OMV-VM10:~# uname -a
      2. Linux OMV-VM10 4.17.0-0.bpo.1-amd64 #1 SMP Debian 4.17.8-1~bpo9+1 (2018-07-23) x86_64 GNU/Linux

      My domain controller is a Windows Server 2008 R2 (fully patched).

      Any help will be greatly appreciated!!

      Thanks,
      Charles
    • Active directory is very dependent on dns. root@OMV-VM10:~# realm join -U administrator MYDOMAIN.local --verbose
      * Resolving: _ldap._tcp.mydomain.local
      * Resolving: mydomain.local
      * No results: mydomain.local
      realm: Cannot join this realm
      root@OMV-VM10:~#


      root@OMV-VM10:~# host mydomain.local
      mydomain.local has address 221.21.21.3
      mydomain.local has IPv6 address 2002:dd15:1503::dd15:1503
      mydomain.local has IPv6 address 2002:dd15:1550::dd15:1550
      root@OMV-VM10:~# hostname -f
      OMV-VM10.mydomain.local
      Seems dns can't find mydomain.local. Try with the ip address. Look at /etc/nsswitch.conf and move dns ahead of mdns.

      Active Directory / LDAP Revisited
      If you make it idiot proof, somebody will build a better idiot.
    • Thanks for the posting detailed instructions for this!

      On a fresh install of OMV4, I installed the packages and joined the realm (SAMBA AD) without any errors. I edited the /etc/sssd/sssd.conf as per the instructions.

      Sadly, I've not been able to make it past:

      Source Code

      1. root@omv:~# id <username>
      I just get the message id: '<username>': no such user. I can use kinit on the same username just fine, however.

      I've double-checked the the /etc/sssd/sssd.conf and the details are correct. The sssd service is running, I've restarted the service, cleared the sssd cache and rebooted the machine to no avail. I also looked at some of the other AD threads to see if there was anything I could have missed. It seems I should just be able to join the realm, edit the sssd.conf file, restart sssd and run the id command to get the GUID of a user, but I can't!

      I was wondering whether anyone else who has followed these instructions has had this issue? Maybe there is something pre-emptive that I should have done/installed before this (seeing as it's a clean install of OMV)?

      I've included my sssd.conf file, but it's not really any different from the one in the guide. :-/

      Source Code

      1. [sssd]
      2. domains = domain.co.uk
      3. config_file_version = 2
      4. services = nss, pam
      5. [domain/domain.co.uk]
      6. ad_domain = domain.co.uk
      7. krb5_realm = DOMAIN.CO.UK
      8. realmd_tags = manages-system joined-with-adcli
      9. cache_credentials = True
      10. id_provider = ad
      11. krb5_store_password_if_offline = True
      12. default_shell = /bin/bash
      13. ldap_id_mapping = True
      14. use_fully_qualified_names = True
      15. fallback_homedir = /home/%u@%d
      16. access_provider = ad
      Display All
      Thanks to anyone for any advice or suggestions in advance...
    • Hey donh, thanks for replying. I was just about to update my post with new information, but I've gotten a bit further now.

      Somehow, I was using "use_fully_qualified_names = True" in the sssd.conf file. I really don't know how I managed to do that, since I was copying the original instructions. :-/ Anyway, once I set it to False, cleared the sssd cache and restarted the service, I can now use "id <username>" to get the info of a user on the SAMBA AD. I can also SSH in to OMV with the AD username (after tweaking the AllowGroups in /etc/ssh/sshd_config).

      However, now it seems the issue is with the users and groups showing up in the OMV backend. They don't show up in the User/Groups sections. Not the end of the world, but they don't show up in the ACL for a file share either. I've modified the /etc/login.defs file and set UID_MAX and GID_MAX to 9999999999, but not dice. :(

      Maybe I'm being a bit dumb and I should be using these steps AND the LDAP in the backend plugin together??!!

      Cheers.

      Update:

      Apologies, forgot to add that if I do "getent passwd" I only get local users, but if I do "getent passwd jsmith", it returns the AD user:

      Source Code

      1. jsmith:*:1697601110:1697600513:Joe Smith:/home/jsmith:/bin/bash

      The post was edited 1 time, last by Cloggs ().

    • Well you are close. Her is what I have under smb extra options for reference. Thay are for a windows ad but some may apply? Seem to remember having uid max there at one time also.
      [list=1][*]#Extra Options
      [*]client signing = yes
      [*]client use spnego = yes
      [*]kerberos method = secrets and keytab
      [*]password server = mustang.example.com
      [*]realm = example.COM
      [*]security = ads
      [/list]
      I wrote a script for windows here. Look threw the sssd.conf file I added some comments to it. Maybe something helpful?
      forum.openmediavault.org/index…Directory-LDAP-Revisited/

      How many users do you have?
      If you make it idiot proof, somebody will build a better idiot.
    • Yeah, not sure why it's such an issue...seems that I have a total disconnect between the OS and OMV...

      This was a clean installation, so not sure whether something has changed since this guide was written. I've been careful not to install other components or mess with any other settings. Manual instructions seem to prefer "realm join", whereas non-OMV solutions tend seem to prefer winbind as means to joining the directory server.

      Haha, I only have 2 users and around 5 groups. Pointless I know, but this is a homely setup that I'm trying out with a view to deploying on a larger scale outside of the home. So far, not having much luck. :-/

      I'll take a look at the options and post back.

      Cheers.
    • Source Code

      1. cat /etc/nsswitch.conf
      2. # /etc/nsswitch.conf
      3. #
      4. # Example configuration of GNU Name Service Switch functionality.
      5. # If you have the `glibc-doc-reference' and `info' packages installed, try:
      6. # `info libc "Name Service Switch"' for information about this file.
      7. passwd: compat sss
      8. group: compat sss
      9. shadow: compat sss
      10. gshadow: files
      11. hosts: files mdns4_minimal [NOTFOUND=return] dns
      12. networks: files
      13. protocols: db files
      14. services: db files sss
      15. ethers: db files
      16. rpc: db files
      17. netgroup: nis sss
      18. sudoers: files sss
      Display All
      If you make it idiot proof, somebody will build a better idiot.
    • Users Online 5

      5 Guests