Guide to OMV 4 Active Directory Integration

    • OMV 4.x
    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Just to update, as you said "plain site"....it turns out that after a, um, reboot I've now got all users and groups showing in the backend.

      When I connect to a share, can't seem to authenticate with a known working username and password, but that could just be an ACL thing, otherwise I may have to mess around with the SMB/CIFS configuration.

      Anyway, thanks for all your help donh. :)
    • Cloggs wrote:

      Just to update, as you said "plain site"....it turns out that after a, um, reboot I've now got all users and groups showing in the backend.

      When I connect to a share, can't seem to authenticate with a known working username and password, but that could just be an ACL thing, otherwise I may have to mess around with the SMB/CIFS configuration.

      Anyway, thanks for all your help donh. :)
      I got similar issue and by doing this, i managed to get it work...probably might help you
    • Greetings all,

      I've been working on the configuration of an omv server tied to a windows domain. I've followed the instructions above and now have access to all the users listed in the ad server in the users list of omv. I can assign AD users to shares and at the command line I show that I am joined to the domain. When I attempt however to map a network connection to a share on omv from a Windows 7 workstation on the same domain I get the following error:

      "There are currently no logon servers available to service the logon request."

      I've confirmed that my dns IP for the omv server points to the AD server as does the dns IP for the station I am trying to map from. The dns server resides on the AD server as well.

      Keep in mind that the station I am attempting to do this from is joined on the same domain and I log into the machine with the same credentials.

      One observation is that under Access Rights Management and users I only see my login one time in the Users list however under Shared Folders/folder being shared/privileges my username is listed twice in the users list there. I am assuming that one is associated with the actual omv installation as I am a user on it and the other originates from the AD server as it doesn't actually tell me. I assigned both references with read write priveledges to the shared folder.

      I do show that I have read/write privileges for the share in question.

      Any thoughts?
    • Thanks for the info on the guide.

      I was following the guide for OMV 5 but it seems it will not work for samba > 4.8 (or 4.6, I'm not sure). It will need winbind.
      So I falled back to OMV 4 and after a while got it working with all users appearing in the console, accessing the server from a Windows client and so on an so forth.
      the only thing I cannot get right (which works in ubuntu using sssd) is remote access to SSH.
      Somehow digging into sssd logs give me something like a "Preauthentication failed".

      Is there any troubleshooting guide I can follow on this?

      [get_and_save_tgt] (0x0020): 1302: [-1765328360][Preauthentication failed]
      [map_krb5_error] (0x0020): 1371: [-1765328360][Preauthentication failed]

      The post was edited 1 time, last by sebasb: UPDATE: Unknown why, but solved post reboot!. ().

    • Dont ever use DOMAIN.LOCAL !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

      You should use something like DOMAIN.LAN but never .LOCAL

      In the samba documentation y found also that you should never use AD or PDC as hostnames for your samba controller.

      When i channged that stuff it worked like a charm!!!

      Hope it helps somebody!!!

      EDIT: Maybe this thing should be posted in the first post as requirement
    • Just a couple of issues I noticed, maybe not for all users, but some things I had to do to make it work:

      My environment (for the most part) is a flat network, with AD DC provided by Samba. Prior to tonight, I had used sssd exactly twice, so I'm not intimately familiar with it (and realistically, I don't need it being that I have the 2303 extensions, but this seemed a QnD guide, and it was). YMMV.

      1. Turn off rdns in /etc/krb5.conf... I ignored this. It didn't seem like the greatest advice if your DNS is setup correctly (you should *not* be using DHCP or DNS outside of your DC unless you really know what you are doing). If you are using ISC dhcpd in the case of Samba, dynamic A and PTR updates are easy enough to implement (whether using samba internal DNS or ISC Bind). I realize that DNS can be difficult, but AD lives and dies in DNS so you should really take the time to get it working correctly. PM me if you need help with this (whether Windows or Samba) and I'll be happy to assist.

      2. After I 'joined' the realm (that's frustrating - they really need to fix that term as it is meaningless to Kerberos), I was unable to use id or getent to display any known AD users (same as Cloggs earlier in the thread). I had to manually add sss to /etc/nsswitch.conf for passwd and group entries (and netgroups, sudoers did not exist), and in /etc/krb5.conf I set true for both dns_lookup_realm and dns_lookup_kdc. I probably could've manually provided a KDC here, but DNS is correct in my environment. I'm not sure why this did not work for me initially as I was able to join the realm. After these changes, id and getent both worked as expected.

      3. In /etc/sssd/sssd.conf, enumerate must be set to true, this is in the example configuration, but is not mentioned in the 'add to' section (I presume that it was a default in earlier versions). Unfortunately, without this config entry the users will not show up in the UI (caching?). Also after modifying the sssd configuration, make sure you 'sudo systemctl restart sssd'.

      4. It wasn't mentioned in the tutorial, but the additional parameters for SMB/CIFS, both the DNS (AD.HELL.SATAN.COM) and the NetBIOS domain name (SATAN) should be changed to match your local configuration. Most of us should catch that, but I thought I'd mention it because undoubtedly somebody will copy and paste and say that it doesn't work.

      Note: I went back and did all of this a second time, to verify the above points, removing all of my previous changes including additional packages, and the nsswitch changes in step 2 above were not required (the sss params were added to all _four_ entries by the PM (sudoers was back though right after filessudoers (no newline)), so something was clearly wrong with my box prior to starting). I did verify that the entries (ones I added, mind you) were removed after removing sssd and friends. 3 was still required on my second setup (my krb5.conf, the other half of 2 above, was still in place so I left it as is, 1 is an issue not directly related to the document, and 4 is obviously required).

      Other than the above notes, it took me maybe fifteen minutes to get it working (including the minimal troubleshooting). I took far longer to write this post. :)

      Other general points mentioned elsewhere in the thread:

      hermetik said "never use .local" and this is good advice, except that Microsoft recommended this for many years when they really shouldn't have (they were a participant in the mDNS draft before Windows 2000 was even released, and this recommendation was still prevalent in their docs until well into 2010). Point is, the decision to use a .local may be out of the user's control. If that is the case, move dns before mdns in /etc/nsswitch.conf if your TLD is .local.

      donh mentioned not using .com or .net unless you know what you are doing. Modern tutorials suggest that you really should attempt to match your external domains, and use a sub-domain for the internal domain, for example: internal.company.com or home.family.org. Again, it's a matter of taste, but using random TLDs (.local, .domain, .lan, etc.) should universally be frowned upon.

      Thanks for the tutorial scipio_americanus.

      I hope the above helps somebody.

      --DJ