Active Directory / LDAP Revisited


  • Looks interesting. Now that I know more about ldap and sssd, I could look into a bit more. If you could create a list of fields you would like to see in the plugin with their data type and default value (optional), that would help me greatly.
    Just a warning... I have no way to test AD nor do I want to mess with anything Windows related. Just ldap on my end :) If it works with AD, great.

    I looked for the existing ldap plugins. I thought there was an extras version but I could not find it. The official 3.1.6 version should have enough fields to get any directory service working. I would be willing to write a script to try and prefill some of the fields if they are available from dns. :)

  • The official 3.1.6 version should have enough fields to get any directory service working. I would be willing to write a script to try and prefill some of the fields if they are available from dns.

    So, should we fork that plugin to create a new one? The script would help.

    omv 5.5.6 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.5
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • I think a new one would be better but you know the code better than I. SSSD has many features built in to it and only needs to manipulate 2 files, sssd.conf and smb.conf. sssd.conf is not used in the base system so no problems with that. smb.conf is used so it will be a bit more complicated. It will need to be integrated into the way smb.conf is now handled.


    A switch to fix nsswitch.conf would be good too. A simple text edit to move dns up in the search order.


    Getting ahead of things, maybe a button for some specific types of directory services.


    I doubt if you could do this now but in 4.0 it would be best to add this to the bottom of the smb/cifs page so the settings would be in the same place.


    Thanks!


    PS: I am sure I over simplified this. Does your ldap use things other than I have shown? AD relies heavily on dns being correctly setup, that may have shielded me from some difficulties.

  • I doubt if you could do this now but in 4.0 it would be best to add this to the bottom of the smb/cifs page so the settings would be in the same place.

    This isn't a problem. samba on OMV uses a runparts directory. So, it can be added to smb.conf the correct way without changing the samba plugin itself. The only issue we might run into is if it sets a setting that is already set by the samba plugin. But, samba uses the last setting parsed when there is more than one of the same settings.



    I think a new one would be better but you know the code better than I

    Do you want to call it openmediavault-sssd?

    omv 5.5.6 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.5
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • "This isn't a problem. samba on OMV uses a runparts directory. So, it can be added to smb.conf the correct way without changing the samba plugin itself. The only issue we might run into is if it sets a setting that is already set by the samba plugin. But, samba uses the last setting parsed when there is more than one of the same settings."


    Cool, if it is on the same page and you add something to the smb extras section would that be good enough? The name should probably be something like "Directory Service SSSd" or something. Use your judgement.

  • Cool, if it is on the same page and you add something to the smb extras section would that be good enough?

    The plugin can do the equivalent of adding to the extras section but you won't see it in the extras section of the samba plugin.



    The name should probably be something like "Directory Service SSSd" or something. Use your judgement.

    Ok.

    omv 5.5.6 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.3.5
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • This looks really promising! I'd love to see this in a plugin format, as all my OMV installations hook into the same AD integration.

    You should be able to do it now and when the plugin comes out just backup your /etc/sssd/sssd.conf file and restore it. Maybe /etc/samba/smb.conf also. That's the only files effected.


    I did a clean install with the 3 release over the weekend and all worked fine. It also works on 4.0 so the future looks good.

  • Hi


    With OMV 3.x the base Debian operating system now has good tools to join a domain with a few commands.


    See the packages realmd and adcli, and my own guide I began to share here: [BETA] Guide how to join OpenMediaVault 3.x in an Active Directory domain

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Thanks for the reply. "realmd" is the piece of the pie I was missing. I threatened to write a script earlier. There is one that should work in this thread, thanks. http://www.alandmoore.com/blog…an-8-to-active-directory/ Will probably still need to add some stuff to smb.conf.


    Another good link https://outsideit.net/realmd-sssd-ad-authentication/

  • Here is a script that will join an OMV to a windows active directory domain.


    • I always need to fix /etc/nsswitch.conf. Could be done with some sed magic.
    • Setup samba/cifs and add stuff from below to extra options. Again could be done with some sed magic, but probably wouldn't show in web ui.
    • Create Join-ad.sh. nano Join-ad.sh Paste code below into.
    • chmod +x Join-ad.sh
    • Run the script Join-ad.sh ./Join-ad.sh . reboot or try systemctl stop sssd.service && rm /var/lib/sss/db/* && rm /var/log/sssd/* && systemctl start sssd.service
    • Did it work?
    Code
    ### Add below in extra options
    ### Change server name and realm to match yours
    #Extra Options
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab
    password server = mustang.example.com
    realm = EXAMPLE.COM
    security = ads


    If you make it idiot proof, somebody will build a better idiot.

    Edited 8 times, last by donh: Clean up ().

  • Hi guys


    OK so I'm just going through my first setup (lab environment) of the latest OMV 3.x and trying to attach it to my 2012 AD server. I have literally just freshly installed OMV from the ISO twice in the last 3 hours, edited /etc/nsswitch.conf to put 'dns' just after 'files', I've copied, pasted and executed the script kindly provided by donh and even up'd the UID_MAX and max group to 33554431. It joins the domain fine (done this a few times today now) but getent passwd USERNAME doesn't return anything, and users aren't being populated within the OMV admin panel (even after a reboot).



    Is there something up with the latest OMV?



    I've noticed that if I install a fresh OMV install (openmediavault_3.0.86-amd64.iso) and within the OMV admin area I click on 'Update' it throws an error straight away which I need to then run an update command within SSH to fix that too - so not sure if this has stopped working with the recent version, or whether I'm copy/pasting wrong / missing something?



    Thanks guys!

  • Sorry to bump, is this the latest thread / method for connecting OMV to AD?


    I used to use the old method with 2.x however Kerberos method doesn't work on 3.x does it.


    Thanks for any pointers! I'll keep trying today to see if I can get it to work, would be nice to upgrade to 3.x due to its added features.

  • I've just installed a million different packages and configurations trying to get this to work so I will re-install the whole thing, re-run your script and test again now so will update you shortly.


    I'm confident 2012 is doing its job though as it is configured with 2x 2.x OMV installs, pfsense authenticated, ESXi authenticated and doing everything fine - so we just need to figure OMV out as I'm sure it's a crucial feature for many.


    I'll reinstall now, run your script then run the two commands to give you the feedback.

  • OK weird, just done the below and it all works fine:





    So inconsistent, must be human error I'm sure.


    Thanks

  • Hey There,


    sadly for me the script didn't worked :/


    I fixed /etc/nsswitch.conf got the message "Joined successfully to domain" and edited the max IDs in /etc/login.defs but still don't see the Users in the webinterface.


    getent passwd only gives me result of local Users. Does anyone got idea what I should check next?

  • Did you setup smb/cifs? What server are you connecting to? How big is the network?


    Does net ads testjoin pass?


    Maybe your users require a specific search base?
    # If unneeded users or other objects show.
    # Use "dsquery user -name * " to see on windows with powershell
    #ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com
    # ldap_user_search_base = CN=Users,DC=example,DC=com


    If so nano /etc/sssd/sssd.conf and fix as required.

    If you make it idiot proof, somebody will build a better idiot.

    Edited 2 times, last by donh ().

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!