ldap plugin - import from AD

    • OMV 4.x
    • ms 2008r2 standard.

      I made two dumps of traffic - in the case of successful ldapsearch and unsuccessful su $user.
      wireshark shows that in both cases binding is successful but searchrequest are not identical.
      in the unsuccessful case searchrequest includes attributes parameters and filter option such as (&(objectClass=posixAccount)(uid=$user)).
      As a result DC server returnes no result.

      So I think that the cause of the failure is in the wrong search request.
    • Returned to this issue.
      And faced another one - I can't start smbd daemon.

      In all cases I see such error -

      smbd.service: Supervising process 24728 which is not our child. We'll most likely not notice when it exits.
      smbd.service: Start operation timed out. Terminating.

      smbd.service: Killing process 24728 (smbd) with signal SIGKILL.
      Failed to start Samba SMB Daemon.
      smbd.service: Unit entered failed state.
      smbd.service: Failed with result 'timeout'.
    • Resolved the issue with samba.

      As for the ldap plugin - achieved a bit of success, without connecting OMV server to AD domain
      with these additional options :
      nss_map_objectclass posixAccount user
      nss_map_objectclass shadowAccount user
      nss_map_objectclass posixGroup group
      nss_map_attribute uid sAMAccountName

      I collected traffic dump and Wireshark showed that AD server responded with all the information about users - it happened after the first searchrequest from OMV server
      Then OMV made several additional rearchrequests and got zero response.
      It's a strange behavior.
      And I got no users in the users tab.

      Any thoughts how to do further troubleshooting?
      I don't fully understand how the users are synchronized with AD.
      I guess the first import should create additional users and I should see changes in the files /etc/passwd, /etc/group, /etc/shadow
    • Now, when I try to connect, for example, to ftp server under my previously defined local user test (which is also defined in AD)
      I got this -
      Dec 5 14:53:56 nsk proftpd: nss_ldap: could not search LDAP server - Server is unavailable
      Dec 5 14:53:56 nsk proftpd: nss_ldap: could not search LDAP server - Server is unavailable
      Dec 5 14:53:56 nsk proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd14362 ruser=test rhost= user=test
      Dec 5 14:53:56 nsk proftpd: pam_sss(proftpd:auth): Request to sssd failed. Connection refused
      Dec 5 14:54:13 nsk proftpd[14362]: ([]) - USER test (Login failed): Incorrect password

      I don't know why but the binding goes with wrong credentials -

      Lightweight Directory Access Protocol
      LDAPMessage bindRequest(1) "<ROOT>" simple
      messageID: 1
      protocolOp: bindRequest (0)
      version: 3
      authentication: simple (0)
      [Response In: 6]

      And when I try to login under user test to WEB interface of OMV, I have success

      The post was edited 1 time, last by respection ().

    • donh wrote:

      The users may not be showing because the uid are greater than 60,000. You can change that in /etc/login.defs. UID_MAX 33554431. Do the same a few lines below for group.
      did that.

      I don't know if it helped or not but now
      - when I run "getent passwd" command I see only local users
      - when I run "getent shadow" command I see local users and ldap users
    • I imagine it is the nsswitch.conf config causing this but according to this code, they should act the same.

      If you aren't using the ldap plugin, then it still might be the nsswitch.conf.
      omv 5.2.3 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.2.1
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!

      The post was edited 1 time, last by ryecoaaron ().

    • it is exactly the work of nssswitch.conf. When I remove ldap - in front of shadow - then I see no users from ldap.
      And I installed ldap plugin.

      As I understood one application can use nsswitch for authentication, another - pam and pam_ldap module (as for OMV it is ldap_plugin, I guess)
      But how it could be chosen I don't know.
      Now I'm trying to use authentication from ldap for ftp users and I see that authentication goes with nss_ldap module - with no success.
      So the target is to choose what OMV (and it's parts like proftp, samba etc) uses for ldap authentication - nss_ldap or pam_ldap.

      I guess the only way to do it is to remove libnss.

      The post was edited 1 time, last by respection ().