Active Directory / LDAP Revisited

  • After trying a lot of things with no results, this solved my problems:


  • Thanks!
    I installed openmediavault_4.0.14-amd64.iso, and installed updates (4.0.16-1 Arrakis).
    ...
    I tried with the script, but the sssd service did not start because of this: "Failed to read keytab [default]: No such file or directory".
    After that I was trying with this: Guide how to join OpenMediaVault 3.x in an Active Directory domain
    On it I was not able to continue here: "Restart SSSD" because "Failed to read keytab [default]: No such file or directory".
    So I google that error and got this page: "http://felipeferreira.net/index.php/2017/01/failed-to-read-keytab-default/"


    Now I am trying to figure how to assign AD users/groups to SMB shared folders, the default settings allows me to access shared folders at least.


    Thank you very much!
    OMV is a great software.
    (I speak Spanish, please excuse any mistake).

  • I asume your users and groups show in Access Rights Manager . Then in shared folder click folder and then privilages and acl as needed.


    What kind of directory server are you connecting to? I would like to include your results in the script.


    Thanks

  • I am using Zentyal 5.0 as AD server.



    I asume your users and groups show in Access Rights Manager . Then in shared folder click folder and then privilages and acl as needed

    Only OMV users and groups appear.
    Enven after already joined (with the command: "net ads join -U Administrator"), when running the script I get this:


    Code
    kinit: KDC reply did not match expectations while getting initial credentials
    Failed to join domain: failed to lookup DC info for domain 'MYDOMAIN.LOCAL' over rpc: An internal error occurred.

    I guess I still need to do something else or something is missing.

  • First reboot and clear the sssd data base. One of last steps in the script. Then getent passwd Does that show your users? If so look at the uid numbers. Are they less than 60000? If greater either edit /etc/login.defs or look at the setting in my smb.conf.

  • I've gotten FreeIPA/Samba semi-working by adding security = user to the SMB options. This bypasses the kerberos checks and authenticates logins against the local list - which is already synced successfully with FreeIPA. Windows machines can then use an IPA domain user's credentials to access SMB shares.


    They still can't use their own credentials, so it's not perfect. But it's working, which is important for the WAF.


    Code
    realm = MY.REALM.COM
    server role = member server
    obey pam restrictions = yes
    security = USER
  • Your welcome. So everything works now?


    Do you think add your fix to "Failed to read keytab [default]: No such file or directory" to the script would work?

    I think so.
    Now I am trying to change subfolders permissions, but they remain as the root folder.

  • New to openmediavault, old to sssd. Just got this working on my new install.



    Install necessary tools. (Haven't seen libsasl2-modules-gssapi-mit as a dependency on any other online Debian guides, so I want to call it out here. This solved an issue I had with GSSAPI saying there were no SASL methods between my AD and OMV server).

    Bash
    apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit -y



    Join the domain using realmd.

    Bash
    realm join -U <sAMAccountName of AD user with Domain Join right> REALM --verbose


    For example, when joining the domain, AD.HAILSATAN.COM. (Note to DEVS: realm can accept a password from stdin. when scripting something like, echo $pcBuilderPass | realm join -U PCBuilder AD.HAILSATAN.COM --verbose totally works.)

    Bash
    realm join -U PCBuilder AD.HAILSATAN.COM --verbose


    Add the following configuration line to /etc/krb5.conf, because most people have their DNS setup like shit. This is a default in RHEL/CentOS. Solves the GSSAPI error (Server not found in kerberos database).



    Bash
    rdns = False


    Most people don't want to use FQDN's so make this sensible change to /etc/sssd.conf



    Bash
    use_fully_qualified_names = False
    fallback_homedir = /home/%u


    Restart sssd.



    Bash
    systemctl restart sssd


    And test the configuration by asking for id info on a domain user.



    Bash
    root@nas:~ id dtrump
    uid=126784105(dtrump) gid=116604512(domain users) groups=116604512(domain users),27(sudo),126514609(illuminati),121647812(democrat
    bankers),176635179(Continuity of Government),16554327(webfilterpornbypassforpres)


    You can then follow the great guide at Guide how to join OpenMediaVault 3.x in an Active Directory domain. for OMV specific tricks (setting up autofs, and /etc/logindefs).



    Hope this helps guys. Thanks for the awesome software.

  • Thanks, that did the trick on my new omv setup. pretty happy with the result.


    I'm a complete layman in all this, but I just noticed that ubuntu (at least 17.10) has freeipa-server packages. Could we expect them to be built with the "same" (if not proper) MIT kerberos?

  • I have the following error:
    mv [sssd[ldap_child[17510]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.


    Any suggestions?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!