Guide how to join OpenMediaVault 3.x in an Active Directory domain

  • Description


    With this guide you are able to join a Windows domain (Either a Windows domain controller, either a Samba 4 domain controller) with your OpenMediaVault server.


    This is a new method to join a domain with sssd instead of Winbind. It is much more easy to setup, and is more reliable than winbind.


    However there is a drawback: if SSSD chooses himself UID and GID, the numbers seems to high to be available in OMV's UI. If the Directory provides UID and GID set by the administrator, and low enough (10000 for example), OMV is able to show them.


    This is currently a BETA, I successfully configured a fresh install of OMV 3 with these steps.


    Requirements

    • OpenMediaVault 3.0.83 or higher
    • A Samba 4 domain controller with uid and gid properties set for users and groups



    OMV Configuration


    Network settings


    • Check IP configuration

    Use the web UI to setup a fixed IP address, and a hostname with a domain name matching your domain.


    Open a terminal (locally ot with SSH) and check the hostname configuration of your OpenMediaVault.



    The first command allows you to check the server has the expected name. It may be whatever you want.
    The second command checks the suffix of your hostname. It must match the domain name of your domain controller.
    The third command checks that /etc/hostname matches your hostname. If it does not matches hostname -s, then update it.


    Packages installation
    Now install the requred packages to install and use SSSD.


    Bash
    root@my-server:~# apt-get install sssd realmd policykit-1 packagekit adcli
    root@my-server:~# realm discover -v domain.com
    root@my-server:~# realm -v join domain.com -U administrator --membership-software=adcli


    apt-get install sssd and required packages
    realm discover checks you can find your domain controller
    realm join .. well .. joins your domain. You need a specify the login of a administrator account, and the process will ask you its password. Some additional packages will be automatically installed.


    SSSD is running, you need to stop and reset its cache to tweak it.


    Configure SSSD


    Bash
    service sssd stop
    sss_cache -E
    rm /var/lib/sss/db/*


    Check /etc/sssd/sssd.conf and switch use_fully_qualified_names to False. This allows you to authenticate without specifying your domain.


    Read the Mapping algorithm paragraph of SSSD to determine if you want ldap_id_mapping or not. Either reading this page: https://linux.die.net/man/5/sssd-ad or either by reading it from OMV terminal.


    Code
    man sssd-ad


    If you want to disable ID mapping and use POSIX attributes in your AD, change also ldap_id_mapping to False. Doing this requires you set up uid and gid for all your users and groups in your directory.


    If you want to show your users in the OpenMediaVault web interface, you need to add at the bottonm of section [domain/domain.com] the parameter enumerate = True. However this is NOT recommended because it will slow down the server and generate network traffic with your domain controller. If you got a lot of users, you should consider keep its default value (False) and configure permissions with setfacl. The same issue occurs with Winbind, so it is useless to prefer Winbind to workaround this problem.


    Customize override_homedir to set the path containing your users home directories. You will bind a subtree of a filesystem here in next steps. This means this subtree will be available in 2 paths in OMV's filesystem.


    Here is an example of /etc/sssd/sssd.conf


    Restart SSSD.


    Code
    service sssd start


    The command realm also updates /etc/nsswitch to use sssd as a source. You do not need to update it yourself, but here is an example of what you should read in this file. Notice the word sss is added in some lines.



    Now sssd is up to date and running, try to find an existing user


    Code
    getent passwd johndoe
    johndoe:*:10000:10000:johndoe:/home/DOMAIN/johndoe:/bin/bash


    Enable mkhomedir
    create the file /usr/share/pam-configs/my_mkhomedir with the following content:

    Code
    Name: Activate mkhomedir
    Default: yes
    Priority: 900
    Session-Type: Additional
    Session:
    required pam_mkhomedir.so umask=0077 skel=/etc/skel


    Umask argument for mkhomedir didn't worked for me. pam_umask.so seems be a better option. Create the file /usr/share/pam-configs/umask with the following:

    Code
    Name: Activate umask
    Default: yes
    Priority: 800
    Session-Type: Additional
    Session:
    optional pam_umask.so umask=0077


    Run the command pam-auth-update, enable Activate mkhomedir and Activate umask.


    Configure Home directories


    In the OMV UI, open the users administration panel. Assuming you got at least one shared folder defined, choose the tab Settings and enable user home directories. Choose a device and set the path /users to store them. This path is important for the next step.


    Find the mounted data volume you want to use for your home directories. In this example, this is the last line. The path after "on" will be re-used to bind mount the volume in /home/domain.com.




    Edit /etc/fstab and bind mount your share to /home/domain.com. The line must be added after # <<< [openmediavault]. This is ensures it will not be overwritten when you edit OpenMediaVault's configuration.


    Code
    /srv/dev-disk-by-id-scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1 /home/domain.com none bind 0 2


    Go in SMB/CIFS configuration, and enable SMB/CIFS.
    Set the Workgroup field to DOMAIN (uppercase, and match the word before the first dot of your domain name). Enable user home directories, and add the following on your extra options:


    If you're using OMV 4.X change the line
    dedicated keytab file = FILE:/etc/krb5.keytab
    into
    dedicated keytab file = /etc/krb5.keytab


    Save and apply changes.


    :!: Read this post if you're under windows 8 to try a performance enhancement : http://forums.openmediavault.o…f=3&t=1493&p=24413#p24366


    :!: This step is not required
    If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX. You need to choose a value higher than the highest UID and GID you can find in your directory. Here are the default values.

    Code: /etc/login.defs
    UID_MAX 60000
    GID_MAX 60000

    Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group .


    You should now be able to browse your home dir and shares if any with a user managed by your Directory server, from a workstation enrolled with SSSD. To setup SSSD on a workstation, do the same as this guide, and don't setup Samba (because it will probably not share files itself, thanks to OMV).

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

    Edited 14 times, last by dethegeek: fix credation of homedir ().

  • Thanks. I had not found realmd. Looks like it fills in most info in sssd.conf. Should help making a plugin for 3.x or inclusion in 4.0. Bugtracker target version


    Seems you test against a samba AD? In my thread it has been tested against a few windows versions. It would be nice if people could test against other types of directory services. Maybe we are scaring them off by putting AD in the titles. LOL sssd should work with many types of directory service.


    Thanks again

    If you make it idiot proof, somebody will build a better idiot.

  • Hi


    SSSD is compatible with a LDAP but I did not experienced it. The tool realmd will detect the type of directory and configure sssd the correct way, so your plugin will probably not need to do specialized things depending on the type of directory.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • I was not able to get realm to join a windows ad. Must be something I am missing. I modified a script to automate joining a widows ad. SHould be easy to adapt to your guide also. Active Directory / LDAP Revisited


    Might also like to update to systemd restarts etc. systemctl stop sssd.service && rm /var/lib/sss/db/* && rm /var/log/sssd/* && systemctl start sssd.service && systemctl status sssd.service

    If you make it idiot proof, somebody will build a better idiot.

  • Hi @dohn


    Did you tried realm discover your.domain.com to see how it is detected ?

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • It goes threw the process and seems joined the domain. But things don't work after a reboot. Gave up on it and went with what works for now. May try again later.

    If you make it idiot proof, somebody will build a better idiot.

  • Hi @dohn


    I think I could give a try to check compatibility of my guide against a Windows 2008 server. I don't have later version. At least this would be a start.


    I'm tempted to begin writing a plugin to join a domain. Did you begin a plugin or are you sticking to a shell script ?

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • A plugin would be great. Unfortunately it is above my skills. Ryecoaaron may have done some work on one. My ideas are on the other thread.


    Thanks

    If you make it idiot proof, somebody will build a better idiot.

  • Hi


    I began to find some resource to learn how to write a plugin for OMV. As many people seems to use OMV as a domain member having such plugin is a must.


    Moreover I would like to have a plugin to manage backups with BorgBackup.


    So, it is time to me to consider contributing now.


    @ryecoaaron


    Can you share the URL of your repository ?

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Can you share the URL of your repository ?

    Right now it isn't much different than the openmediavault-ldap plugin but here ya go - https://github.com/ryecoaaron/openmediavault-sssd

    omv 5.6.0 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.5.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • Right now it isn't much different than the openmediavault-ldap plugin but here ya go - https://github.com/ryecoaaron/openmediavault-sssd

    Thanks for starting work on a plugin. I would like to contribute but have no idea how to build it from github. I searched but was unable to find a tutorial. I just need to know what I need to get started building the package and what is a good editor would be. I will do it in a vm for this purpose only.


    Thanks

    If you make it idiot proof, somebody will build a better idiot.

  • The following will build the .deb which you install with dpkg


    Code
    apt-get install build-essential debhelper devscripts fakeroot git libfile-fcntllock-perl quilt
    git clone https://github.com/ryecoaaron/openmediavault-sssd.git
    cd openmediavault-sssd
    fakeroot debian/rules clean binary

    omv 5.6.0 usul | 64 bit | 5.4 proxmox kernel | omvextrasorg 5.5.3
    omv-extras.org plugins source code and issue tracker - github


    Please read this before posting a question.
    Please don't PM for support... Too many PMs!

  • This came from liviu.stefanescu in a conversation. He could not post it for some reason.


      Hello donh,


      I was able to combine latest OMV 4.1.8.2-1 with Zentyal 5.0.10 by following this info:
      Guide how to join OpenMediaVault 3.x in an Active Directory domain


      I had some issues and I'm sending to you what took me some time to figure out, I can't post in that very useful thread.


      a. This information wasn't clear for me:
      Set the Workgroup field to DOMAIN (uppercase, and match the word before the first dot of your domain name).
      After various testing I figured out it means to set for Workgroup the domain first word e.g. for MYCOMPANY.LAN it should be MYCOMPANY.
      According to Zentyal smb.conf the workgroup is lowercase (not upper case) e.g. mycompany .


      b. To figure out the ranges for uid and gui:


      • UID_MAX 60000
      • GID_MAX 60000


      I just picked them from:
      root@omv:~# getent passwd liviu.stefanescu
      john.doe:*:923401104:923400513:John Doe:/home/mycompany.lan/users/john.doe:/bin/bash
      uid: 923401104
      gid: 923400513



      c. Samba issues:


      Because the user and password didn't work.
      To see some logs and to find out why I had to change the smb.conf file:
      nano /etc/samba/smb.conf
      these:
      log level = 1

      syslog = 1
      log file = /var/log/samba/log.%m
      max log size = 1000
      #syslog only = yes
      panic action = /usr/share/samba/panic-action %d
      encrypt passwords = true


      and restart the service:


      systemctl restart smbd


      And read the errors log files:
      nano /var/log/samba/log.Computer IP


      I found this thread:
      pagure.io/freeipa/issue/6551


      Which says that Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources.


      So the extra options:, point 3:


      • password server = *
      • realm = DOMAIN.COM
      • dedicated keytab file = FILE:/etc/krb5.keytab
      • kerberos method = dedicated keytab
      • security = ads

      must be changed to:
      dedicated keytab file = /etc/krb5.keytab


      The current OMV 4x updated version has Samba 4.5.12 and since I changed that, it all works for me .


      Maybe you can update the thread, it is very useful for a newbie like me.


      Kind regards,
      Liviu Stefanescu

    If you make it idiot proof, somebody will build a better idiot.

  • hi


    I'm the author of the tutorial.


    a) you must set the name of your workgroup. If your domain name is domain.com, your workgroup name must be DOMAIN. If your domain name is mycompany.lan it is MYCOMPANY


    b) the UID and GID of your users from your domain are very high numbers, because you left commented out the line ldap_id_mapping in sssd.conf. If you want to see the AD users in the user interface of OMV, you ned to set MAX_UID and MAx_GID to a value greater than the values ID of your AD users and groups. This documentation may help you: https://linux.die.net/man/5/sssd-ad


    c) nice to know. I may update the tutorial to warn about this important change. (Did I write a version for OMV 4.x ? I don't even remember).

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!