First of all, a big thank you goes out to David for his guide. I know what a lot of work and time it took to breakt that down into reproducible steps.
Here are my 2 cents for enabling LDAP plugin:
We assume that the domain name is domain.com and the name of the AD server is adserver.domain.com
1. Set all the needed parameters on the OMV box like DNS server(s), domain name (Network parameters) and workgroup name (SMB/CIFS config) in lower case letters.
2. Fill in these parameters into the SMB/Cifs extra options:
realm=DOMAIN.COM (Upper case letters)
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = +
Save and confirm.
3. Edit the host file (/etc/hosts) and add an entry for your AD server
3. Install nmap (apt-get install nmap) and check if the LDAP server is available on the network:
nmap -p 389 ADserver.domain.com
Response:
Starting nmap...
Interesting ports on ADserver.domain.com (IP-Address)
PORT STATE-SERVICE
389/tcp open ldap
MAC Adress: xxxxxxxxx
NMAP done: 1IP address (1 host up) scanned....
This is to make sure that the ADserver, the LDAP server we wish to connect to, is up and available.
4.Configure the time settings on the OMV box, use a common time source for all systems inside the AD network. I.E. if your router is able to act as a NTP server, configure it and point the AD server and the OMV box to it. A windows AD network is very sensitive to time and a correct time setting is very important for the Kerberos tickets.
5.apt-get install krb5-config krb5-user krb5-clients winbind dnsutils
After apt has pulled the packages a dialog window opens and asks you for the domain name. If you have set it during step 1 the assumed value should be ok.
(Comment: During the numerous installations I have done it sometimes happened that the installation of Kerberos did not ask for the domain name. Check that out in the /etc/krb5.conf file, the second line should name your domain correctly (Only the domain without the name of the AD server in uppercase letters)).
6. Edit the /etc/krb5.conf file. In my experiences the only values you have to set are the domain name in line 2 and the domain_realm.
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
and that's it. The realms-section can be deleted completely.
7. Install the LDAP-plugin from the plugin repository, open it and fill in the value as needed.
Basic knowledge about LDAP and it's parameters should be present and if you don't have any clue which values to use for the DN, it is a good idea to install a LDAP browser like Softerra LDAP browser (Download and use for free) and you can use it afterwards to control which users and groups are present in the LDAP directory on the server. You have to enter a base DN too before you can use the browser, the names are dc=domain,dc=com and the user name for registering at the LDAP server is someone like cn=administrator,cn=users,dc=domain,dc=com (Called principal in the browsers config, in the LDAP plugin it is the Root Bind DN).
8. Stop the services samba and winbind (service samba stop).
9. Edit /etc/nsswitch.conf like in David's example. Make these changes permanent by editing /usr/share/openmediavault/mkconf/nsswitch as well.
10. Edit the /usr/share/openmediavault/mkconf/samba.d/15ldap file like in David's example.
(In his guide this is step number 3, but I found that this file does not exist on the system before the LDAP plugin is installed)
11. Start samba and winbind services
Comment: After the start of the services I have noticed that the /etc/samba/smb.conf was not updated completely, the idmap settings had the old values. So I disabled the LDAP plugin, confirm and enabled it again, now the smb.conf is updated.
12. Now it's time to join the domain at the command line of the OMV box:
12.1. kinit administrator (Or any other AD user account with administrative rights you wish to use)
-Enter the password of the user, you may notice that the system asks for the password of administrator@domain.com. If the password is correct, no further comments will appear.
12.2. net ads join -U administrator (If you have forgotten to start samba service and the SMB/CIFS plugin, you will receive a message that this is only possible for AD member servers)
-Enter the password, if everything went well you receive the following messages:
Using short domain name -- DOMAIN
Joined 'DOMAIN' to realm 'domain.com'
DNS update failed! (Don't worry about that, a DNS update (This is a dynamic one) will only happen if you have allowed dynamic DNS updates from every domain member on your AD DNS Server.) To be sure that the OMV box is now a part of the domain you can check if it's name now appears under computers in the AD users and groups MMC and it is not a bad idea to add an entry for the OMV box in the DNS MMC.
12.3 Now check if the trust secret is available with wbinfo -t at the command line. During my tests sometimes an error appears, checking the trust secret for domain DOMAIN via RPC calls failed. A simple restart of the winbind service solved that.
12.4 Now check if the system can read the users and groups of the AD with wbinfo -u and -g. They should appear immediately.
12.5 Now check the user id's of the AD users with id -u administrator. This user should have the id 16777216, this is always the first user. Other users follow with higher id's. Check with getent passwd the presence of all users, at this point you can see the user UID and group GID of the AD users.
13. The standard settings of the LDAP plugin didn't bring up groups or users on my system, I had to adjust that according to the LDAP names of the AD server (The presence of the LDAP browser is useful at this moment, or you can use adsiedit.msc on the AD server). The system log of the AD server showed an error, NO_OBJECT when using the standard settings OU=Users and OU=Groups.
But even after correcting these settings users and groups still do not appear. I rebooted the system, still the same.
But they are there and will be displayed! Not in the groups or user overview, but if I edit the ACL of a share, every AD user (And every group) is in the list and they will be displayed immediately after klicking on the ACL button of a share. I can give them rights to write to a share and they can use it.
My conclusion: I don't know if this is a bug in the OMV web gui or just a weird thing, but the connection to the LDAP directory basically works and I can allow access for the shares for the AD users and groups.
Some additional hints:
To speed up DNS queries on the OMV box if it is under high load it is a good idea to install nscd together with the other packages at step 5. Nscd caches DNS queries and reduces the load of winbind.
If anything went wrong and the system does not display users or groups when using wbinfo -u or -g and you receive an error, you can reset the status of the OMV box without reinstalling and -configuring:
Stop windbind and samba services
remove the system from the AD using the AD users and groups MMC on the AD server
delete the samba secrets database (/var/lib/samba/secrets.tdb)
start winbind and samba services
start over beginning with kinit administrator at step 12.1
Comments welcome....