Active Directory / LDAP Revisited

donh · Apr 1st 2017

This is early stage of testing only. Use at your own risk. Your mileage may vary.

Update 9/2019 The script works on OMV 3, 4 and 5. With windows server 2008, 2012 and 2016. Maybe others?

Seems to be quite a few threads about this over the years. I have had it working for years but it seems to be quite tricky. With 3.0 coming I decided to look at it again. I did not test against 2.x but it may work as well. I started clean and found something I had not seen before, sssd. It seems to do both AD and other ldap well. I only have a 2008 server to test with so please test other variants if you are interested. I test this in a proxmox vm against a 2008 sbs server with only a few users. I am pasting my notes and hope they are readable.
I start with a clean install from the iso of a few days ago.

Code

OMV 3 beta AD integration
Active directory lives on DNS, i.e. you must have DNS working before 
trying to use AD. In my opinion the best thing to do is use dhcp and set a reservation.
If dns does not work you need to jump threw hoops to make things work!
Links
https://wiki.ubuntu.com/Enterprise/Authentication/sssd
https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-test
Plus a lot more googleing
Install iso
apt-get update
apt-get dist-upgrade ## Upgrade from the webui fails with dependabcy issue
reboot		## end up with 4.9 kernel because using # jessie-updates, previously known as 'volatile'
								deb http://ftp.us.debian.org/debian/ jessie-updates main contrib non-free
								deb-src http://ftp.us.debian.org/debian/ jessie-updates main contrib non-free
omv-initsystem
Configure smb and enable. Setup share
Fix login.defs
nano /etc/login.defs
Add to smb/cifs extra options
#Extra Options
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
password server = mustang.example.com
realm = example.COM
security = ads
nano /etc/sssd/sssd.conf
[sssd]
services = nss, pam, pac
config_file_version = 2
domains = example.COM
[domain/example.COM]
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_idmap_default_domain = example.com
ldap_idmap_autorid_compat = True
#ldap_id_mapping = True
#ldap_schema = ad
# Enumeration is discouraged for performance reasons.
enumerate = true
#ldap_idmap_range_min = 20000
#ldap_idmap_range_max = 60000
ldap_schema = rfc2307bis
#ldap_access_order = expire
#ldap_account_expire_policy = ad
#ldap_force_upper_case_realm = true
#ldap_user_search_base = dc=example,dc=com
#ldap_group_search_base = dc=example,dc=com
#ldap_user_object_class = user
#ldap_user_name = sAMAccountName
#ldap_user_fullname = displayName
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName
#ldap_group_object_class = group
#ldap_group_name = sAMAccountName
ldap_id_mapping = True
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.example.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = example.COM
chmod 0600 /etc/sssd/sssd.conf
apt-get install krb5-user samba sssd ntp libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit  ldap-utils  
nano /etc/nsswitch     ###move dns up in hosts not sure why that needs to be done
hosts:          files dns mdns4_minimal [NOTFOUND=return]
Join the AD
kinit donadmin
net ads join -k
getent passwd	Should show ad users
getent group	Should show ad groups
Go to shared folders. The AD users and groups under acl
One issue is sssd has an issue with restarting if id changes db causes failed start. Work around is 
systemctl stop sssd.service && rm /var/lib/sss/db/* && systemctl start sssd.service
Another is to use the name of the share not its ip address, Another reason for getting dns right

Display More

The ultimate goal is to get sssd into the code or at least as a plugin. Another useful tool may be realmd, I have not tried that yet.

I hope this is of interest to others.

Added a script here. script post

donh · Apr 1st 2017

Forgot to mention the users and groups don't show in the web ui under access rights. They are there under acl were it counts. Anybody know were in the code the users get displayed?

subzero79 · Apr 2nd 2017

I think for normal users it will parse passwd file populating only users with a uid higher that 1000

I think this is the function i will parse all users

https://github.com/openmediava…ediavault/system/user.inc

then they will get filtered by type depending on the parameters.

https://github.com/openmediava…ned/rpc/usermgmt.inc#L138

donh · Apr 2nd 2017

Thanks for the reply. I can't see why the users would not show. Is there a limit other than /etc/login.defs. I raised that way high.

test:*:201163:200513:Test:/home/exanple.COM/test:

The uid is 201163, gid is 200513 is that causing them to be ignored in the webui? Any way they show up under acl.

donh · Apr 5th 2017

Got users showing. in /etc/sssd/sssd.conf

Code

ldap_idmap_range_min = 20000
#to hide computer names that show as users
ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com

With those changes you don't need to edit login.defs.

donh · Apr 6th 2017

Simplified instructions.

Code

Install and upgrade to latest


Setup nsswitch.conf if needed. Move dns up


Setup SMB/CIFS


In extra options 


#Extra Options
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
password server = mustang.example.com
realm = EXAMPLE.COM
security = ads


apt-get install krb5-user krb5-config sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit


nano /etc/sssd/sssd.conf[sssd]

Display More

Code: /etc/sssd/sssd.conf

[sssd]
services = nss, pam, pac, ssh
config_file_version = 2
domains = EXAMPLE.COM


[domain/EXAMPLE.COM]
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad


#ldap_schema = rfc2307bis
#ldap_schema = ad


ldap_idmap_autorid_compat = True


# Enumeration is discouraged for performance reasons.
# OMV needs True to show users in ui and acl
enumerate = True
# timeout (integer)     #### The default value for this parameter is 10 seconds.


# This get the users in range to show in UI and ACL
ldap_idmap_range_min = 20000
# ldap_idmap_range_max = 60000    ### Does not seem to work 
#                                ### Causes not able to start


# If unneeded users or other objects show.
# Use "dsquery user -name * "  to see on windows with powershell
#ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com
# ldap_user_search_base = CN=Users,DC=example,DC=com


# Use this if users are being logged in at /.  OMV does this. Otherwise not tested
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
#override_homedir = /home/%u




#ldap_user_email = email  # Could this fill the email field? might not be in this version
#ldap_user_search_base = dc=example,dc=com
#ldap_group_search_base = dc=example,dc=com
#ldap_user_object_class = user
#ldap_user_name = sAMAccountName
#ldap_user_fullname = displayName                ### Seems to be maps to comment in OMV?
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName
#ldap_group_object_class = group
#ldap_group_name = sAMAccountName                ### Seems to be maps to Name in OMV?




# Unused options


#ldap_idmap_default_domain = example.com
#ldap_id_mapping = True


#default_domain_suffix = example.com


#ldap_access_order = expire
#ldap_account_expire_policy = ad
#ldap_force_upper_case_realm = true


#ldap_user_search_base = dc=example,dc=com
#ldap_group_search_base = dc=example,dc=com
#ldap_user_object_class = user
#ldap_user_name = sAMAccountName
#ldap_user_fullname = displayName
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName
#ldap_group_object_class = group
#ldap_group_name = sAMAccountName


# ldap_id_mapping = True


# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.EXAMPLE.com


# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com


# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = EXAMPLE.COM


# filter_groups = 




# For other options see "man sssd.conf"
# https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/


chmod 0600 /etc/sssd/sssd.conf


kinit administratorn


net ads join -k


reboot


getent passwd

Display More

Code

chmod 0600 /etc/sssd/sssd.conf


kinit administrator


net ads join -k


reboot


getent passwd

Display More

Please test this against other directory services.

Thanks

donh · Apr 27th 2017

Good news bad news, Votdev looks to add it. Bad news targeted for 4.0. bugtracker I guess I should have looked at this earlier, sorry. There are 2 plugins now that could be combined by doing this or eliminated. Simplifying everything, a major goal of OMV.

So I guess we will need a plugin. Unfortunately that is above my skill level. It should be fairly easy to do. Install a few apt packages and and gather some info for smb.conf and sssd.conf. I can probably help write a script to get some of the info if it is available.

So 400 views and only 1 other comment. Does anyone care about this feature? Has anyone tested other ldap or active directory servers?

Thanks

vshaulsk · Apr 27th 2017

I would really like to have this functionality since right now I have to create users twice. Once in my Zentyal AD and once on OMV.

In my test VM, I have tried to follow instructions on how to join an active directory...... unfortunately it failed
Probably something I did, but unfortunately I don't have much time to go through and figure it out.

I will however be no help creating this plugin, since that is way above my skill set.

ryecoaaron · Apr 27th 2017

Quote from donh

Does anyone care about this feature? Has anyone tested other ldap or active directory servers?

Looks interesting. Now that I know more about ldap and sssd, I could look into a bit more. If you could create a list of fields you would like to see in the plugin with their data type and default value (optional), that would help me greatly.

Just a warning... I have no way to test AD nor do I want to mess with anything Windows related. Just ldap on my end If it works with AD, great.

donh · Apr 27th 2017

I will get some info to you about ad at least as of 2008 sbs and maybe a script. AD relies heavily on dns. If it is correctly setup it could be filled in automatically. I did look for a "sample" sssd.conf file that would have all the options, but never found one. Probably need to read the man pages for that. I did document some above. Are there others needed for other types?

For other directories I would search for sssd and whatever ldap server you use.

The goal is not to manage the directory from OMV, but only to use users and groups for permissions. That keeps it simple.

donh · Apr 28th 2017

First installment. There are 2 files that are already in use by OMV and they need to be dealt with appropriately, smb.conf and nsswitch.conf. They were sometimes modified by saving changes. Not sure that is still the case. Below are what I needed to add to smb.conf for a 2008 sbs server. I just add them to the extra options of SMB/CIFS. They seem to survive settings updates.

###########
Install and upgrade to latest

Not sure if this step is just my setup. nsswitch needs to get things from dns for AD
The sssd apt install adds entries for itself

Setup nsswitch.conf if needed. Move dns up in the order.

apt-get install krb5-user krb5-config
## will get settings from dns and might ask if not available there.
## Would that popup from the install? Could it?

Setup SMB/CIFS

In extra options

#Extra Options
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
password server = mustang.example.com ## needed ??
realm = EXAMPLE.COM ## could be extracted from /etc/krb.conf with script

security = ads ## SECURITY = AUTO This is the default security setting
## in Samba, and causes Samba to consult the server role
## parameter (if set) to determine the security mode.
## See man page options user, ads, domain,
## Will test this later.

apt-get install sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit

nano /etc/sssd/sssd.conf
[sssd]

To be continued

Will do more for sssd conf later.

Thanks.

donh · Apr 28th 2017

Quote from vshaulsk

I would really like to have this functionality since right now I have to create users twice. Once in my Zentyal AD and once on OMV.

In my test VM, I have tried to follow instructions on how to join an active directory...... unfortunately it failed
Probably something I did, but unfortunately I don't have much time to go through and figure it out.

I will however be no help creating this plugin, since that is way above my skill set.

Display More

What version is your Zentyal? Do you have support? When you tried did you get errors, what were they. Do you like Zentyal? It looks interesting, might try it in a vm.

ParadingLunatic · May 11th 2017

Honestly I would love to see this feature. I'm not using it in a corp environment but I am at home. I have a small AD setup at home using Server 2016 and while testing with OMV in a VM (not using my primary OMV system), this worked nicely. It would be great as a plugin as I initially attempted with the LDAP plugin and it just seemed like there was a lot of old info that didn't work with my OMV3 setup. I'm mainly doing this because I want an AD system to make maintaining/etc the numerous systems I have in my easier. It would be nice to have one place to add/remove users and password changes instead of multiple.

My one question, will the accounts stay in sync or will in I need to setup a cron job to run the getent passwd command every so often?

donh · May 11th 2017

Thanks for testing. Did you have any suggestions? They should stay synced with no need to do anything. There may be some caching or delay in propagating from the ad system. In a small network it should be minimal. You can test it easily, create a user and see how soon it shows up in users etc.

Since it is working on 2008sbs and 2016 I assume it will work on anything in between.

ParadingLunatic · May 11th 2017

No suggestions really. I'm not quite deep enough into the OMV/Linux architecture to really be able to provide suggestions/changes but can provide logs/errors if any of that pops up. Wish I could be more helpful on that end.

Although if you have any questions on the AD side of things including some of the LDAP elements I might be able to help out. Kinda like the two lines:

ldap_user_search_base = ou=omvusers,dc=example,dc=com
ldap_group_search_base = ou=omvgroups,dc=example,dc=com

I purposely created two AD OU's to clean up what was brought into OMV so only users/groups I WANT in OMV gets sent to OMV. You can find the full LDAP path of these things in ADSI Edit. I can't imagine it would cause a problem to only pass specific users/groups from AD to OMV.

It would be great to see this as a plugin but really the manual install is easy enough even if you're only semi familiar with the CLI. The only thing that initially tripped me up was editing the nsswitch.conf file. I didn't do it at first and kept getting an error when attempting to run the kinit line saying it was unable to reach a KDC server. Messing around a bit I noticed I forgot that step. Made the change and bam, worked instantly.

donh · May 11th 2017

Ya nsswitch.conf seems to be a problem for some reason. I thought it might be just my system. Not sure why it does not fall threw to dns? The original order is.

Code

files mdns4_minimal [NOTFOUND=return] mdns4 dns

Seems it should get to dns eventually but for some reason doesn't. That seems to be one of the biggest faults in most tutorials I have read. I am not sure if moving dns up in the search order might break some things like mdns (bonjour), I don't think I am using it.

ParadingLunatic · May 11th 2017

Quote from donh
Ya nsswitch.conf seems to be a problem for some reason. I thought it might be just my system. Not sure why it does not fall threw to dns? The original order is.
Code
files mdns4_minimal [NOTFOUND=return] mdns4 dns
Seems it should get to dns eventually but for some reason doesn't. That seems to be one of the biggest faults in most tutorials I have read. I am not sure if moving dns up in the search order might break some things like mdns (bonjour), I don't think I am using it.

I did some research on the nsswitch.conf. Basically from what I'm reading, "NOTFOUND=return" if the lookup hasn't returned a success by now, to basically return a failure and not to continue on. I would imagine moving anything to the left of that entry won't hurt but could cause some slight lag. In fact, it could probably be beneficial to move dns first if you have a correctly configured dns.

donh · May 11th 2017

Well I always do "files dns mdns4_minimal [NOTFOUND=return] mdns4". Just wondering why the default is the way it is. Or if my change breaks things I am not using.

Thanks

ParadingLunatic · May 16th 2017

I have it implemented completely. Works pretty well. The updates in AD take some time to propagate but that's not surprising. I don't intend on making lots of updates.

On another note, I had to make a few changes here and there to allow/tweak SSH and sudo. Sudo was a little trickier as it requires altering the AD schema and making edits within ADSI edit. SSH was relatively easy. Also had to add an entry in the sssd.config to set the default shell.

Code: sssd.conf

[sssd]
services = nss, pam, pac, sudo, ssh
config_file_version = 2
domains = DOMAIN.LOCAL


[nss]
default_shell = /bin/bash #gives all users the default shell of /bin/bash


[domain/DOMAIN.LOCAL]
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_idmap_autorid_compat = True


enumerate = True


ldap_idmap_range_min = 20000


override_homedir = /media/<UUID>/Homes/%u #I have my Homes directory on one of the File Shares instead of on the system drive


#created a specific OU for users so I only get the users I want.  I tried to do this for groups but for some reason it didn't work.
ldap_user_search_base = ou=OMVUsers,dc=domain,dc=local

Display More

in /etc/ssh/sshd_Config I added the AD group I created domain_ssh for the users I want to have SSH rights.

The sudo stuff like I said is a little more involved. I can possibly provide some instructions if anyone is interested. I just googled something about sssd sudo and found the process to do it. Wound up following two different sets of instructions to get it to work successfully.

donh · May 16th 2017

Thanks for the update. I have not woried about sudo in the ad context. but good to know it works. sssd is a very powerful tool.

Participate now!