Just got around to upgrading to OMV 4. Wanted to share my steps to get SMB 3 share authentication working against my SAMBA AD server. Since I'm a security guy, this configuration only uses SMB 3 and Kerberos through sssd. Don't have to worry about legacy SMB protocols, weak NTLM hashes, NULL AD sessions, or plain text ldap calls.
Install Needed Packages
DNS is hard; especially regarding Kerberos. You probably have to add the following to your krb5.conf file.
Join the Domain
Edit /etc/sssd/sssd.conf to make sure the following are set under the domain configuration.
Example full sssd.conf file
[sssd] domains = ad.hail.satan.com config_file_version = 2 services = nss, pam [domain/ad.hail.satan.com] ad_domain = ad.hail.satan.com krb5_realm = AD.HAIL.SATAN.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad enumerate = True ad_gpo_access_control = permissive
Look up the uid value in your realm.
In this example, our generated id has 9 digits, so we set the following for UID_MAX and GID_MAX in /etc/login.defs.
UID_MIN 1000 UID_MAX 999999999 # System accounts #SYS_UID_MIN 100 #SYS_UID_MAX 999 # # Min/max values for automatic gid selection in groupadd # GID_MIN 1000 GID_MAX 999999999
SMB/CIFS Advanced Options
Set then following under Extra Options of the Advanced Settings Div in the SMB/CIFS configuration.
security = ads realm = AD.HAIL.SATAN.COM client signing = yes client use spnego = yes kerberos method = secrets and keytab obey pam restrictions = yes protocol = SMB3 netbios name = omv password server = * encrypt passwords = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = no idmap config SATAN : backend = rid idmap config SATAN : range = 1000-999999999999 Idmap config *:backend = tdb idmap config *:range = 85000-86000 template shell = /bin/sh lanman auth = no ntlm auth = yes client lanman auth = no client plaintext auth = No client NTLMv2 auth = Yes winbind refresh tickets = yes log level = 3 syslog =3
You should now be able to see the AD users and groups in the OMV tab, and assign share permissions based on that.