LDAP Plugin

First of all, a big thank you goes out to David for his guide. I know what a lot of work and time it took to breakt that down into reproducible steps.

Here are my 2 cents for enabling LDAP plugin:
We assume that the domain name is domain.com and the name of the AD server is adserver.domain.com

1. Set all the needed parameters on the OMV box like DNS server(s), domain name (Network parameters) and workgroup name (SMB/CIFS config) in lower case letters.

2. Fill in these parameters into the SMB/Cifs extra options:
realm=DOMAIN.COM (Upper case letters)
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = +
Save and confirm.

3. Edit the host file (/etc/hosts) and add an entry for your AD server

3. Install nmap (apt-get install nmap) and check if the LDAP server is available on the network:
nmap -p 389 ADserver.domain.com
Response:
Starting nmap...
Interesting ports on ADserver.domain.com (IP-Address)
PORT STATE-SERVICE
389/tcp open ldap
MAC Adress: xxxxxxxxx
NMAP done: 1IP address (1 host up) scanned....
This is to make sure that the ADserver, the LDAP server we wish to connect to, is up and available.

4.Configure the time settings on the OMV box, use a common time source for all systems inside the AD network. I.E. if your router is able to act as a NTP server, configure it and point the AD server and the OMV box to it. A windows AD network is very sensitive to time and a correct time setting is very important for the Kerberos tickets.

5.apt-get install krb5-config krb5-user krb5-clients winbind dnsutils
After apt has pulled the packages a dialog window opens and asks you for the domain name. If you have set it during step 1 the assumed value should be ok.
(Comment: During the numerous installations I have done it sometimes happened that the installation of Kerberos did not ask for the domain name. Check that out in the /etc/krb5.conf file, the second line should name your domain correctly (Only the domain without the name of the AD server in uppercase letters)).

6. Edit the /etc/krb5.conf file. In my experiences the only values you have to set are the domain name in line 2 and the domain_realm.
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
and that's it. The realms-section can be deleted completely.

7. Install the LDAP-plugin from the plugin repository, open it and fill in the value as needed.
Basic knowledge about LDAP and it's parameters should be present and if you don't have any clue which values to use for the DN, it is a good idea to install a LDAP browser like Softerra LDAP browser (Download and use for free) and you can use it afterwards to control which users and groups are present in the LDAP directory on the server. You have to enter a base DN too before you can use the browser, the names are dc=domain,dc=com and the user name for registering at the LDAP server is someone like cn=administrator,cn=users,dc=domain,dc=com (Called principal in the browsers config, in the LDAP plugin it is the Root Bind DN).

8. Stop the services samba and winbind (service samba stop).

9. Edit /etc/nsswitch.conf like in David's example. Make these changes permanent by editing /usr/share/openmediavault/mkconf/nsswitch as well.

10. Edit the /usr/share/openmediavault/mkconf/samba.d/15ldap file like in David's example.
(In his guide this is step number 3, but I found that this file does not exist on the system before the LDAP plugin is installed)

11. Start samba and winbind services
Comment: After the start of the services I have noticed that the /etc/samba/smb.conf was not updated completely, the idmap settings had the old values. So I disabled the LDAP plugin, confirm and enabled it again, now the smb.conf is updated.

12. Now it's time to join the domain at the command line of the OMV box:

12.1. kinit administrator (Or any other AD user account with administrative rights you wish to use)
-Enter the password of the user, you may notice that the system asks for the password of administrator@domain.com. If the password is correct, no further comments will appear.

12.2. net ads join -U administrator (If you have forgotten to start samba service and the SMB/CIFS plugin, you will receive a message that this is only possible for AD member servers)
-Enter the password, if everything went well you receive the following messages:
Using short domain name -- DOMAIN
Joined 'DOMAIN' to realm 'domain.com'
DNS update failed! (Don't worry about that, a DNS update (This is a dynamic one) will only happen if you have allowed dynamic DNS updates from every domain member on your AD DNS Server.) To be sure that the OMV box is now a part of the domain you can check if it's name now appears under computers in the AD users and groups MMC and it is not a bad idea to add an entry for the OMV box in the DNS MMC.

12.3 Now check if the trust secret is available with wbinfo -t at the command line. During my tests sometimes an error appears, checking the trust secret for domain DOMAIN via RPC calls failed. A simple restart of the winbind service solved that.

12.4 Now check if the system can read the users and groups of the AD with wbinfo -u and -g. They should appear immediately.

12.5 Now check the user id's of the AD users with id -u administrator. This user should have the id 16777216, this is always the first user. Other users follow with higher id's. Check with getent passwd the presence of all users, at this point you can see the user UID and group GID of the AD users.

13. The standard settings of the LDAP plugin didn't bring up groups or users on my system, I had to adjust that according to the LDAP names of the AD server (The presence of the LDAP browser is useful at this moment, or you can use adsiedit.msc on the AD server). The system log of the AD server showed an error, NO_OBJECT when using the standard settings OU=Users and OU=Groups.
But even after correcting these settings users and groups still do not appear. I rebooted the system, still the same.

But they are there and will be displayed! Not in the groups or user overview, but if I edit the ACL of a share, every AD user (And every group) is in the list and they will be displayed immediately after klicking on the ACL button of a share. I can give them rights to write to a share and they can use it.

My conclusion: I don't know if this is a bug in the OMV web gui or just a weird thing, but the connection to the LDAP directory basically works and I can allow access for the shares for the AD users and groups.

Some additional hints:
To speed up DNS queries on the OMV box if it is under high load it is a good idea to install nscd together with the other packages at step 5. Nscd caches DNS queries and reduces the load of winbind.

If anything went wrong and the system does not display users or groups when using wbinfo -u or -g and you receive an error, you can reset the status of the OMV box without reinstalling and -configuring:
Stop windbind and samba services
remove the system from the AD using the AD users and groups MMC on the AD server
delete the samba secrets database (/var/lib/samba/secrets.tdb)
start winbind and samba services
start over beginning with kinit administrator at step 12.1

Comments welcome....

Boah....where did you dig out this config change? However, that did the trick and the users and groups appear. Thanks a lot!
A simple logout and login was sufficient.

And for the other fred: I didn't want to hijack David's guide, so I decided to put it in this one.

Zitat von "donh"

The post David wrote was based on these bug trackers. There are a few tips that may be useful too. I just never seem to have time to make the patches. For a long time no one seemed interested and it was working for me. So I left it on the back burner. Glad to see the interest building.

Oh Don, shame on me, ashes on my head. You have pointed the changes of login.def out about a year ago and I have overlooked that.

Zitat von "donh"

What version of server are you on. Does it seem fast or slow.

Like David I took the men's way and use 2012 R2 datacenter. I choosed this server version intentionally because I have to get into it, I want to update the company''s AD servers in the near future and this was a good opportunity to learn a lot. And I am on the way to set up our firewalls to pull users via LDAP from the AD servers for user authentication for proxy use so configuring this LDAP plugin was another good opportunity.
The users and groups are displayed immediately after clicking on them in the web gui, no delay.

Zitat von "donh"

As for what thread was hijacked, I think it was this one. Lol

You are right, but David's guide is pinned and I didn't want to add more scatter to it.

Zitat von "donh"

OP endstile did you ever get this going?

No more reaction on seven pages until it starts....that's not that much.

Well, there are some differences in the configs, I believe. My testbed is running on ESXi on a pretty beefy server hardware, but I do not believe that hardware power matters at this point.

Actually I'm wondering what really happens on the OMV box now. Is it really a LDAP query which fills the user and group fields? I am in doubt because I have restricted the search scope in the directory plugin to a special user-OU and a special group-OU. Both have members, but only a few and the user and group views are showing every AD user and group.
So I believe that the user and group views are filled by winbind and it uses the LDAP protocol, I can see that in the logs on the AD server and the defined LDAP search scopes are not used.

As tekk has pointed out the directory plugin is able to pull users from an OpenLDAP server without the use of winbind, so I believe we have two different things. I think I'm gonna set up another box with LDAP only and check if I can query users from an AD server, this should be possible without being a domain member. And a second box without LDAP but with winbind and see what is going on.

I've a frickin i7-4770K here... With all virtualization extensions activated! The hardware power should not cause this.

Greetings
David

Zitat von "donh"

Datadiger when you restricted the ou did getent passwd show all the users too? In smb.conf we tell it to get users from winbind.

Sorry boys I'm out of the race until next thursday, a bad cold has caught me. Will give the answers when I'm back.

Zitat von "donh"

I doubt it is hardware slowing David down too. Maybe some others will report their speed. Mine is fast to an old opteron and a proxmox vm.

That's what I said, the hardware doesn't matter at this point.

Sux, make sure you drink more water. Get better soon!!

Gute Besserung

Gruß
David

Thank you!
Still getting better and I have lots of time to think about LDAP.

hi everyone,i want to a project about NAS. Im using ubuntu,on that install ldap and configure it with open media vault.? how does i can do it succesfully. Any ways?