Guide to OMV 4 Active Directory Integration

  • Just to update, as you said "plain site"....it turns out that after a, um, reboot I've now got all users and groups showing in the backend.


    When I connect to a share, can't seem to authenticate with a known working username and password, but that could just be an ACL thing, otherwise I may have to mess around with the SMB/CIFS configuration.


    Anyway, thanks for all your help donh. :)

  • Just to update, as you said "plain site"....it turns out that after a, um, reboot I've now got all users and groups showing in the backend.


    When I connect to a share, can't seem to authenticate with a known working username and password, but that could just be an ACL thing, otherwise I may have to mess around with the SMB/CIFS configuration.


    Anyway, thanks for all your help donh. :)

    I got similar issue and by doing this, i managed to get it work...probably might help you

  • Greetings all,


    I've been working on the configuration of an omv server tied to a windows domain. I've followed the instructions above and now have access to all the users listed in the ad server in the users list of omv. I can assign AD users to shares and at the command line I show that I am joined to the domain. When I attempt however to map a network connection to a share on omv from a Windows 7 workstation on the same domain I get the following error:


    "There are currently no logon servers available to service the logon request."


    I've confirmed that my dns IP for the omv server points to the AD server as does the dns IP for the station I am trying to map from. The dns server resides on the AD server as well.


    Keep in mind that the station I am attempting to do this from is joined on the same domain and I log into the machine with the same credentials.


    One observation is that under Access Rights Management and users I only see my login one time in the Users list however under Shared Folders/folder being shared/privileges my username is listed twice in the users list there. I am assuming that one is associated with the actual omv installation as I am a user on it and the other originates from the AD server as it doesn't actually tell me. I assigned both references with read write priveledges to the shared folder.


    I do show that I have read/write privileges for the share in question.


    Any thoughts?

  • Thanks for the info on the guide.


    I was following the guide for OMV 5 but it seems it will not work for samba > 4.8 (or 4.6, I'm not sure). It will need winbind.
    So I falled back to OMV 4 and after a while got it working with all users appearing in the console, accessing the server from a Windows client and so on an so forth.
    the only thing I cannot get right (which works in ubuntu using sssd) is remote access to SSH.
    Somehow digging into sssd logs give me something like a "Preauthentication failed".


    Is there any troubleshooting guide I can follow on this?


    [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
    [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]

    Einmal editiert, zuletzt von sebasb () aus folgendem Grund: UPDATE: Unknown why, but solved post reboot!.

  • Yes, it's work fine for me with a WS2016 (AD compatibility WS2012) and OMV 4.1.23-1 (Arrakis).
    Juste add command before try to view id :

    Code
    systemctl stop sssd.service && rm /var/lib/sss/db/* && systemctl start sssd.service
    
    
    reboot now


    Thanks.

  • Dont ever use DOMAIN.LOCAL !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


    You should use something like DOMAIN.LAN but never .LOCAL


    In the samba documentation y found also that you should never use AD or PDC as hostnames for your samba controller.


    When i channged that stuff it worked like a charm!!!


    Hope it helps somebody!!!


    EDIT: Maybe this thing should be posted in the first post as requirement

  • Just a couple of issues I noticed, maybe not for all users, but some things I had to do to make it work:


    My environment (for the most part) is a flat network, with AD DC provided by Samba. Prior to tonight, I had used sssd exactly twice, so I'm not intimately familiar with it (and realistically, I don't need it being that I have the 2303 extensions, but this seemed a QnD guide, and it was). YMMV.


    1. Turn off rdns in /etc/krb5.conf... I ignored this. It didn't seem like the greatest advice if your DNS is setup correctly (you should *not* be using DHCP or DNS outside of your DC unless you really know what you are doing). If you are using ISC dhcpd in the case of Samba, dynamic A and PTR updates are easy enough to implement (whether using samba internal DNS or ISC Bind). I realize that DNS can be difficult, but AD lives and dies in DNS so you should really take the time to get it working correctly. PM me if you need help with this (whether Windows or Samba) and I'll be happy to assist.


    2. After I 'joined' the realm (that's frustrating - they really need to fix that term as it is meaningless to Kerberos), I was unable to use id or getent to display any known AD users (same as Cloggs earlier in the thread). I had to manually add sss to /etc/nsswitch.conf for passwd and group entries (and netgroups, sudoers did not exist), and in /etc/krb5.conf I set true for both dns_lookup_realm and dns_lookup_kdc. I probably could've manually provided a KDC here, but DNS is correct in my environment. I'm not sure why this did not work for me initially as I was able to join the realm. After these changes, id and getent both worked as expected.


    3. In /etc/sssd/sssd.conf, enumerate must be set to true, this is in the example configuration, but is not mentioned in the 'add to' section (I presume that it was a default in earlier versions). Unfortunately, without this config entry the users will not show up in the UI (caching?). Also after modifying the sssd configuration, make sure you 'sudo systemctl restart sssd'.


    4. It wasn't mentioned in the tutorial, but the additional parameters for SMB/CIFS, both the DNS (AD.HELL.SATAN.COM) and the NetBIOS domain name (SATAN) should be changed to match your local configuration. Most of us should catch that, but I thought I'd mention it because undoubtedly somebody will copy and paste and say that it doesn't work.


    Note: I went back and did all of this a second time, to verify the above points, removing all of my previous changes including additional packages, and the nsswitch changes in step 2 above were not required (the sss params were added to all _four_ entries by the PM (sudoers was back though right after filessudoers (no newline)), so something was clearly wrong with my box prior to starting). I did verify that the entries (ones I added, mind you) were removed after removing sssd and friends. 3 was still required on my second setup (my krb5.conf, the other half of 2 above, was still in place so I left it as is, 1 is an issue not directly related to the document, and 4 is obviously required).


    Other than the above notes, it took me maybe fifteen minutes to get it working (including the minimal troubleshooting). I took far longer to write this post. :)


    Other general points mentioned elsewhere in the thread:


    hermetik said "never use .local" and this is good advice, except that Microsoft recommended this for many years when they really shouldn't have (they were a participant in the mDNS draft before Windows 2000 was even released, and this recommendation was still prevalent in their docs until well into 2010). Point is, the decision to use a .local may be out of the user's control. If that is the case, move dns before mdns in /etc/nsswitch.conf if your TLD is .local.


    donh mentioned not using .com or .net unless you know what you are doing. Modern tutorials suggest that you really should attempt to match your external domains, and use a sub-domain for the internal domain, for example: internal.company.com or home.family.org. Again, it's a matter of taste, but using random TLDs (.local, .domain, .lan, etc.) should universally be frowned upon.


    Thanks for the tutorial scipio_americanus.


    I hope the above helps somebody.


    --DJ

  • i've been having a hell of a time trying to get this set up. i've followed the instructions put forth by the OP, and including the recent addendum from DJ_L, but i'm still having access issues with my shares.


    where i'm at now is: my omv vm is joined to my domain, and running both "getent passwd" and "id ApprehensiveEdge6" in the console shows all the users/info that i'm expecting to see. the omv web ui page at "Access Rights Management > User" also displays all the expected users. i've set the recommended additions to "Service > SMB/CIFS > Advanced Settings" (adjusting for my domain/realm). i have created two shares, "movies" and "tv".


    the problem comes when i try to browse to those shares on my windows box, by navigating to \\omv.mydomain.tld\(movies|tv) in windows explorer. i get an explorer error popup stating:


    \\omv.mydomain.tld is not accessible. You might not have permission to use this network resource. We can't sign you in with this credential because your domain isn't available.


    what's irritating about this message and behavior is that the error box almost immediately, without ever having prompting for username and password.


    so far, i have found that if i remove the first line from the SMB/CIFS Advanced Settings directive (meaning, "security = ads") i can get just a little but further -- windows explorer at least displays a credential input dialog box, where it's populated my domain/username (mydomain\ApprehensiveEdge6) and prompts for a password. when i enter my domain account password here, though, the credential dialog box returns with the message, "The specified network password is not correct."


    i know that the box itself is authenticating to my domain controller correctly in at least some aspects, as i have an ad group called "ssh-sudoers", of which ApprehensiveEdge6 is a member. this group is enabled in AllowedGroups in /etc/sshd/sshd_config, and that user is able to ssh in to the omv box. using my ad creds.


    in checking /var/log/syslog at the time of a browse attempt (with "security = ads" enabled) i see log lines such as (and the following is edited for brevity):


    Sep 18 20:28:08 omv smbd[16216]: ../source3/librpc/crypto/gse_krb5.c:217: failed to fetch machine password
    Sep 18 20:28:08 omv smbd[16216]: ../source3/librpc/crypto/gse_krb5.c:603: Warning! Unable to set mem keytab from secrets!
    Sep 18 20:28:08 omv smbd[16216]: Could not find machine account in secrets database: Failed to fetch machine account password for MYDOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=MYDOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
    Sep 18 20:28:08 omv smbd[16216]: [2019/09/18 20:28:08.566215, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
    Sep 18 20:28:08 omv smbd[16216]: connect_to_domain_password_server: unable to open the domain client session to machine DC01.MYDOMAIN.TLD. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.


    it's driving me nuts, i'm not able to discern what's going wrong here.


    notes:
    OpenMediaVault version 4.2.24-1, running on ESXi 6.7u2
    Active Directory provided by Windows Server 2019, running on the same ESXi host
    client machine is Windows 10 Pro, on a standalone machine, and is domain-joined
    my domain is not actually literally named MYDOMAIN.TLD


    any help would be greatly appreciated.

  • I've had some success with this, but I'm unable to browse the shares via my domain account.


    I'm able to get the point where I can lookup users in the domain via 'id username' and am able to add domain users and groups to security on the OMV shares, but that's as far as I get. when I browse the share it keeps prompting for credentials and I get no further.


    running 'net ads join -k' and 'net rpc join -k' yield RPC errors.


    Any help would be appreciated.

  • for those guys who will want to use OMV 5 and this guide, it will work fine but in samba 4.6 I think it needs winbind working.
    So far I've joined it using
    * realm join (works)
    * made sure id "DOMAIN\user" works
    * Edited again in the extra settings on the SMB config (if you did it before realm join it gets changed, make sure you do it after or at least add something and remove something to impact the settings again)
    --- security = ads
    --- realm = SBSOFT.COM.AR
    -- idmap config DOMAIN : backend = sss (instead of rid, for me its better since sssd is used in other ubuntu machines and I can keep the user id mapping consistent)
    -- winbind refresh tickets = yes (in a month or so I'll comeback if this is an issue after a computer account password refresh cycle)
    and then rejoined using net ads join -U <domain admin> to ensure winbind has all the needed data for the join

  • Some things to check
    dns resolution from omv to the domain, (_ldap._tcp.<domain fqdn> (https://blogs.msdn.microsoft.c…lity-of-active-directory/)
    to use -k you should do first kinit -k "Domain Admin account"
    Also make sure you did not setup "winbind use default domain = true", it happens the same to me.
    Check winbind refresh tickets =true also if it happens periodically.

  • Here is a shell script that integrates OMV 4 and OMV 5 with AD without errors!
    The dialog script was made by a friend based on one I had made simpler, he already activates samba, installs all packages and integrates with AD or Samba4.


    https://github.com/eduardojonc…master/Join_OMV_to_AD_1.0


    PS: The script is in Brazilian Portuguese as it was made for users of the omvbr group on Telegram, but nowadays with Google Translator for anyone in the world to use.

    • Offizieller Beitrag

    Here is a shell script that integrates OMV 4 and OMV 5 with AD without errors!
    The dialog script was made by a friend based on one I had made simpler, he already activates samba, installs all packages and integrates with AD or Samba4.


    https://github.com/eduardojonc…master/Join_OMV_to_AD_1.0


    PS: The script is in Brazilian Portuguese as it was made for users of the omvbr group on Telegram, but nowadays with Google Translator for anyone in the world to use.

    Nice looking script, thanks. Puts my simple one to shame. Unfortunately google translate puts extra spaces in the wrong places.
    #! / bin / bash. Any body know of a better translator?

  • I do see one thing missing from the instructions here. I think that ideally all domain users should automatically be added to the users group. It looks like Linux doesn't support group nesting like Windows does, so I'm not sure what the solution there would be.


    I ran into another issue with errors when attempting to start SMB after adding the extra options:


    https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1806035


    Need to run the following to map guest to nogroup:


    net groupmap add sid=S-1-5-32-546 unixgroup=nogroup type=builtin

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!