Disclaimer: This Guide is far from perfect. These are the steps that I made, to connect an OpenMediaVault Server to an Windows Server 2012R2 AD/LDAP.
I'm not responsible for any problems you may run into using this Guide.
I strongly recommend to test this Guide in a Virtual testing environment before using on Productive Systems!
So. Donh and me did it and connected OpenMediaVault to an 2012R2 AD/LDAP. Weird thing, Users page in webgui is fucking slow for me, groups page is nearly instant. On donh's installation with an 2008R2 Server the users tab is way faster.
Step-by-step:
1. Enable SSH
2. Enable Samba, Set WORKGROUP to 'LOCAL' (WHEN your PDC is DC01.LOCAL.DOMAIN, change it according to your domain structure)
2.1 Extra options for Samba:
realm=DC01.LOCAL.DOMAIN
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = +
3. nano /usr/share/openmediavault/mkconf/samba.d/15ldap
3.1 Change Security = User to Security = ads
3.2 Change both IDMAPUID and IMAPGID from 1000-2000 to 16777216-33554431
4. Install anything thats needed (dnsutils to be able to use nslookup if needed)
4.1 Configure it according to your situation. You most likely fill in the IP/Hostname of your PDC/DC everytime!
5. Install openmediavault-ldap and configure it like you would normally. (See attachment: ldap_settings, change according to your structure!)
6. Apply anyhting in the GUI. Leave the GUI untouched after that! Otherwise the following changes will get reverted!
7. Edit /etc/nsswitch.conf to look like the following:
passwd: files winbind ldap
group: files winbind ldap
shadow: files winbind ldap
hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Alles anzeigen
8. Restart samba and winbind
9. Add the following to your /etc/hosts file (REMEMBER: Change according your needs!)
10. Edit /etc/krb5.conf
10.1 Remove all dummy domains
10.2 add the following to the config file under [domain_realm] (CHANGE ACCORDING TO YOUR NEEDS!)
10.3 The whole file should like that
[libdefaults]
default_realm = DC01.LOCAL.DOMAIN
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
10.0.15.1 = {
kdc = 10.0.15.1
admin_server = 10.0.15.1
}
[domain_realm]
.local.domain = LOCAL.DOMAIN
local.domain = LOCAL.DOMAIN
[login]
krb4_convert = true
krb4_get_tickets = false
Alles anzeigen
11. Check (with DATE, not in the webinterface!) that your time on your CLI is synchron with the time of your PDC!
12. execute the following command - thats the first step where you most likely run into errors!
13. join the fucking AD/LDAP
13.1. If That doesn't work, you can specify the exact hostname of the PDC
14. Check if winbind can access your AD/LDAP
14.1. Check if winbind can access Users and groups from the LDAP
14.2. nano /etc/login.defs change UID_MAX GID_MAX as follows. Then you might need to do ldconfig.
UID_MIN 1000
UID_MAX 33554431
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 33554431
Alles anzeigen
15. Check if OpenMediaVault can access it (You should see your OpenMediaVault Users AND your AD Users)
16. Check the Groups Page in the Webinterface. (This was nearly instant for both donh and me).
17. Check Users Page in the Webinterface. (This was different for donh (Windows Server 2008R2) and me (Windows Server 2012R2) - mine was slow as hell, so maybe it timeouts for you, then access the Users Page again!)
+18. To check for things I might have missed, here is my whole smb.conf
#======================= Global Settings =======================
[global]
workgroup = LOCAL
server string = %h server
include = /etc/samba/dhcp.conf
dns proxy = no
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
null passwords = no
local master = yes
time server = no
wins support = no
realm=DC01.LOCAL.DOMAIN
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind separator = +
#======================= LDAP Settings =======================
security = ads
passdb backend = ldapsam:ldap://10.0.15.1:389
ldap suffix = dc=local,dc=domain
ldap admin dn = cn=administrator,dc=local,dc=domain
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap ssl = off
ldap passwd sync = yes
ldapsam:trusted = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
#======================= Share Definitions =======================
Alles anzeigen
+18.1 /etc/hosts
# This configuration file is auto-generated.
# WARNING: Do not edit this file, your changes will be lost.
127.0.0.1 localhost
127.0.1.1 openmediavault.local openmediavault
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
10.0.15.2 openmediavault.local openmediavault
10.0.15.1 dc01.local dc01
Alles anzeigen
10 hours. And I'm not satisfied with it how it works here. Donh and I are unsure why its so slow for me. Hardware is out of the question. Donhs configs are a bit different from mine, he will post them later.
Nuff Said.
Greetings
David