Guide to OMV 4 Active Directory Integration

  • Hi Everyone,
    Just got around to upgrading to OMV 4. Wanted to share my steps to get SMB 3 share authentication working against my SAMBA AD server. Since I'm a security guy, this configuration only uses SMB 3 and Kerberos through sssd. Don't have to worry about legacy SMB protocols, weak NTLM hashes, NULL AD sessions, or plain text ldap calls.


    Install Needed Packages

    Bash
    apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit libwbclient-sssd -y



    Edit /etc/krb5.conf
    DNS is hard; especially regarding Kerberos. You probably have to add the following to your krb5.conf file.


    Bash: /etc/krb5.conf
    rdns = False


    Join the Domain



    Bash
    realm join -U <AD user with Domain Join right> REALM --verbose

    For Example,


    Code
    realm join -U lucifer AD.HAIL.SATAN.COM --verbose


    Edit /etc/sssd/sssd.conf to make sure the following are set under the domain configuration.


    Bash: /etc/sssd/sssd.conf
    use_fully_qualified_names = False
    fallback_homedir = /home/%u
    ad_gpo_access_control = permissive

    Example full sssd.conf file

    Edit /etc/login.defs
    Look up the uid value in your realm.


    Bash
    root@omv:~# id lucifer
    uid=166640342(lucifer) gid=166642256(domain users) groups=166642256(domain users),29(sudo)


    In this example, our generated id has 9 digits, so we set the following for UID_MAX and GID_MAX in /etc/login.defs.


    SMB/CIFS Advanced Options
    Set then following under Extra Options of the Advanced Settings Div in the SMB/CIFS configuration.



    You should now be able to see the AD users and groups in the OMV tab, and assign share permissions based on that.

  • scipio_americanus, I just built a new Windows 10 computer and my OMV 4 NAS doesn't show up in the Network section of the File Explorer. I read it has something to do with SMB v1 being removed by MS. If I enter \\<mynasmname> into the address bar of File Explorer, the shared folders do show up and I can map them to drive letters. Will your scripts solve the issue? Do I need to use them all? Or is there some changes I can make to Windows to solve the problem? I don't understand what the scripts are doing, so I would just be doing a copy and paste.

  • First, a big thank you to @scipio_americanus for writing this up. It seems there are many roads to travel to integrate AD and OMV but, all lead to a dead-end. This seemed so clear-cut and being new I thought was going to work but, alas I've hit another dead-end.


    I don't suppose someone could tell me how to troubleshoot step 2 - the joining domain part. This is what I get:


    OMV version:

    Code
    root@OMV-VM10:~# uname -a
    Linux OMV-VM10 4.17.0-0.bpo.1-amd64 #1 SMP Debian 4.17.8-1~bpo9+1 (2018-07-23) x86_64 GNU/Linux


    My domain controller is a Windows Server 2008 R2 (fully patched).


    Any help will be greatly appreciated!!


    Thanks,
    Charles

    • Offizieller Beitrag

    Active directory is very dependent on dns. root@OMV-VM10:~# realm join -U administrator MYDOMAIN.local --verbose
     * Resolving: _ldap._tcp.mydomain.local
     * Resolving: mydomain.local
     * No results: mydomain.local
    realm: Cannot join this realm
    root@OMV-VM10:~#



    root@OMV-VM10:~# host mydomain.local
    mydomain.local has address 221.21.21.3
    mydomain.local has IPv6 address 2002:dd15:1503::dd15:1503
    mydomain.local has IPv6 address 2002:dd15:1550::dd15:1550
    root@OMV-VM10:~# hostname -f
    OMV-VM10.mydomain.local
    Seems dns can't find mydomain.local. Try with the ip address. Look at /etc/nsswitch.conf and move dns ahead of mdns.


    Active Directory / LDAP Revisited

  • Hi
    I have Windows 2k12 AD Domain and OMV 4 fresh install...got the configurations as mentioned here. But OMV webGUI users and groups showing 'nobody' and 'nogroup'


    # id <ad user> successfully returns the uids and gids


    Pls help me to fix this.


    Thanks so much

  • Thanks for the posting detailed instructions for this!


    On a fresh install of OMV4, I installed the packages and joined the realm (SAMBA AD) without any errors. I edited the /etc/sssd/sssd.conf as per the instructions.


    Sadly, I've not been able to make it past:

    Code
    root@omv:~# id <username>

    I just get the message id: '<username>': no such user. I can use kinit on the same username just fine, however.


    I've double-checked the the /etc/sssd/sssd.conf and the details are correct. The sssd service is running, I've restarted the service, cleared the sssd cache and rebooted the machine to no avail. I also looked at some of the other AD threads to see if there was anything I could have missed. It seems I should just be able to join the realm, edit the sssd.conf file, restart sssd and run the id command to get the GUID of a user, but I can't!


    I was wondering whether anyone else who has followed these instructions has had this issue? Maybe there is something pre-emptive that I should have done/installed before this (seeing as it's a clean install of OMV)?


    I've included my sssd.conf file, but it's not really any different from the one in the guide. :-/


    Thanks to anyone for any advice or suggestions in advance...

  • Hey donh, thanks for replying. I was just about to update my post with new information, but I've gotten a bit further now.


    Somehow, I was using "use_fully_qualified_names = True" in the sssd.conf file. I really don't know how I managed to do that, since I was copying the original instructions. :-/ Anyway, once I set it to False, cleared the sssd cache and restarted the service, I can now use "id <username>" to get the info of a user on the SAMBA AD. I can also SSH in to OMV with the AD username (after tweaking the AllowGroups in /etc/ssh/sshd_config).


    However, now it seems the issue is with the users and groups showing up in the OMV backend. They don't show up in the User/Groups sections. Not the end of the world, but they don't show up in the ACL for a file share either. I've modified the /etc/login.defs file and set UID_MAX and GID_MAX to 9999999999, but not dice. :(


    Maybe I'm being a bit dumb and I should be using these steps AND the LDAP in the backend plugin together??!!


    Cheers.


    Update:


    Apologies, forgot to add that if I do "getent passwd" I only get local users, but if I do "getent passwd jsmith", it returns the AD user:

    Code
    jsmith:*:1697601110:1697600513:Joe Smith:/home/jsmith:/bin/bash
  • I stuck another digit on the end to be sure, but 1697600513 is less than 9999999999 by a fair margin. ;) Basically, the UID's and GID's are ten digits, so I went for ten 9's.

  • getent passwd now returns all users after adding the following to the sssd.conf file and restarting sssd:


    Code
    enumerate = true

    However, nothing showing in OMV backend still. :(

    • Offizieller Beitrag

    Well you are close. Her is what I have under smb extra options for reference. Thay are for a windows ad but some may apply? Seem to remember having uid max there at one time also.
    [list=1][*]#Extra Options
    [*]client signing = yes
    [*]client use spnego = yes
    [*]kerberos method = secrets and keytab
    [*]password server = mustang.example.com
    [*]realm = example.COM
    [*]security = ads
    [/list]
    I wrote a script for windows here. Look threw the sssd.conf file I added some comments to it. Maybe something helpful?
    https://forum.openmediavault.o…Directory-LDAP-Revisited/


    How many users do you have?

  • Yeah, not sure why it's such an issue...seems that I have a total disconnect between the OS and OMV...


    This was a clean installation, so not sure whether something has changed since this guide was written. I've been careful not to install other components or mess with any other settings. Manual instructions seem to prefer "realm join", whereas non-OMV solutions tend seem to prefer winbind as means to joining the directory server.


    Haha, I only have 2 users and around 5 groups. Pointless I know, but this is a homely setup that I'm trying out with a view to deploying on a larger scale outside of the home. So far, not having much luck. :-/


    I'll take a look at the options and post back.


    Cheers.

    • Offizieller Beitrag

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!