Guide to OMV 4 Active Directory Integration

Great work. Do you have the skills to write a plugin? Unfortunately I don't. The goal being to get it as a part of OMV.

I have a thread for windows ad and seems to work for a few others types. https://forum.openmediavault.o…-LDAP-Revisited/?pageNo=4 I haven't had time to work on it much since.

Thanks

scipio_americanus, I just built a new Windows 10 computer and my OMV 4 NAS doesn't show up in the Network section of the File Explorer. I read it has something to do with SMB v1 being removed by MS. If I enter \\<mynasmname> into the address bar of File Explorer, the shared folders do show up and I can map them to drive letters. Will your scripts solve the issue? Do I need to use them all? Or is there some changes I can make to Windows to solve the problem? I don't understand what the scripts are doing, so I would just be doing a copy and paste.

@wjburl

This thread is of no help to you, what you have done is spot on the OP's post is about integrating OMV into Active Directory.

First, a big thank you to @scipio_americanus for writing this up. It seems there are many roads to travel to integrate AD and OMV but, all lead to a dead-end. This seemed so clear-cut and being new I thought was going to work but, alas I've hit another dead-end.

I don't suppose someone could tell me how to troubleshoot step 2 - the joining domain part. This is what I get:

root@OMV-VM10:~# realm join -U administrator MYDOMAIN.local --verbose
 * Resolving: _ldap._tcp.mydomain.local
 * Resolving: mydomain.local
 * No results: mydomain.local
realm: Cannot join this realm
root@OMV-VM10:~#


root@OMV-VM10:~# host mydomain.local
mydomain.local has address 221.21.21.3
mydomain.local has IPv6 address 2002:dd15:1503::dd15:1503
mydomain.local has IPv6 address 2002:dd15:1550::dd15:1550
root@OMV-VM10:~# hostname -f
OMV-VM10.mydomain.local

OMV version:

root@OMV-VM10:~# uname -a
Linux OMV-VM10 4.17.0-0.bpo.1-amd64 #1 SMP Debian 4.17.8-1~bpo9+1 (2018-07-23) x86_64 GNU/Linux

My domain controller is a Windows Server 2008 R2 (fully patched).

Any help will be greatly appreciated!!

Thanks,
Charles

Active directory is very dependent on dns. root@OMV-VM10:~# realm join -U administrator MYDOMAIN.local --verbose
* Resolving: _ldap._tcp.mydomain.local
* Resolving: mydomain.local
* No results: mydomain.local
realm: Cannot join this realm
root@OMV-VM10:~#

root@OMV-VM10:~# host mydomain.local
mydomain.local has address 221.21.21.3
mydomain.local has IPv6 address 2002:dd15:1503::dd15:1503
mydomain.local has IPv6 address 2002:dd15:1550::dd15:1550
root@OMV-VM10:~# hostname -f
OMV-VM10.mydomain.local
Seems dns can't find mydomain.local. Try with the ip address. Look at /etc/nsswitch.conf and move dns ahead of mdns.

Active Directory / LDAP Revisited

Hi
I have Windows 2k12 AD Domain and OMV 4 fresh install...got the configurations as mentioned here. But OMV webGUI users and groups showing 'nobody' and 'nogroup'

# id <ad user> successfully returns the uids and gids

Pls help me to fix this.

Thanks so much

I figured it out....(or rather my stupidity)

It happens when the UID_MAX is lower than the returned UID...in my case it is 10 digits.
I added 9999999999 (10 digit) and it works

Thanks for the posting detailed instructions for this!

On a fresh install of OMV4, I installed the packages and joined the realm (SAMBA AD) without any errors. I edited the /etc/sssd/sssd.conf as per the instructions.

Sadly, I've not been able to make it past:

root@omv:~# id <username>

I just get the message id: '<username>': no such user. I can use kinit on the same username just fine, however.

I've double-checked the the /etc/sssd/sssd.conf and the details are correct. The sssd service is running, I've restarted the service, cleared the sssd cache and rebooted the machine to no avail. I also looked at some of the other AD threads to see if there was anything I could have missed. It seems I should just be able to join the realm, edit the sssd.conf file, restart sssd and run the id command to get the GUID of a user, but I can't!

I was wondering whether anyone else who has followed these instructions has had this issue? Maybe there is something pre-emptive that I should have done/installed before this (seeing as it's a clean install of OMV)?

I've included my sssd.conf file, but it's not really any different from the one in the guide. :-/

[sssd]
domains = domain.co.uk
config_file_version = 2
services = nss, pam


[domain/domain.co.uk]
ad_domain = domain.co.uk
krb5_realm = DOMAIN.CO.UK
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

Thanks to anyone for any advice or suggestions in advance...

Does getent passwd show users?

Hey donh, thanks for replying. I was just about to update my post with new information, but I've gotten a bit further now.

Somehow, I was using "use_fully_qualified_names = True" in the sssd.conf file. I really don't know how I managed to do that, since I was copying the original instructions. :-/ Anyway, once I set it to False, cleared the sssd cache and restarted the service, I can now use "id <username>" to get the info of a user on the SAMBA AD. I can also SSH in to OMV with the AD username (after tweaking the AllowGroups in /etc/ssh/sshd_config).

However, now it seems the issue is with the users and groups showing up in the OMV backend. They don't show up in the User/Groups sections. Not the end of the world, but they don't show up in the ACL for a file share either. I've modified the /etc/login.defs file and set UID_MAX and GID_MAX to 9999999999, but not dice.

Maybe I'm being a bit dumb and I should be using these steps AND the LDAP in the backend plugin together??!!

Cheers.

Update:

Apologies, forgot to add that if I do "getent passwd" I only get local users, but if I do "getent passwd jsmith", it returns the AD user:

jsmith:*:1697601110:1697600513:Joe Smith:/home/jsmith:/bin/bash

Try systemctl stop sssd.service && rm /var/lib/sss/db/* && systemctl start sssd.service.

No luck sadly, getent passwd still only shows local users unless I specify an AD username. :-/

Quote from Cloggs

I've modified the /etc/login.defs file and set UID_MAX and GID_MAX to 9999999999, but not dice

Make it bigger 1697600513 > 9999999999.

I stuck another digit on the end to be sure, but 1697600513 is less than 9999999999 by a fair margin. Basically, the UID's and GID's are ten digits, so I went for ten 9's.

getent passwd now returns all users after adding the following to the sssd.conf file and restarting sssd:

enumerate = true

However, nothing showing in OMV backend still.

Well you are close. Her is what I have under smb extra options for reference. Thay are for a windows ad but some may apply? Seem to remember having uid max there at one time also.
[list=1][*]#Extra Options
[*]client signing = yes
[*]client use spnego = yes
[*]kerberos method = secrets and keytab
[*]password server = mustang.example.com
[*]realm = example.COM
[*]security = ads
[/list]
I wrote a script for windows here. Look threw the sssd.conf file I added some comments to it. Maybe something helpful?
https://forum.openmediavault.o…Directory-LDAP-Revisited/

How many users do you have?

Yeah, not sure why it's such an issue...seems that I have a total disconnect between the OS and OMV...

This was a clean installation, so not sure whether something has changed since this guide was written. I've been careful not to install other components or mess with any other settings. Manual instructions seem to prefer "realm join", whereas non-OMV solutions tend seem to prefer winbind as means to joining the directory server.

Haha, I only have 2 users and around 5 groups. Pointless I know, but this is a homely setup that I'm trying out with a view to deploying on a larger scale outside of the home. So far, not having much luck. :-/

I'll take a look at the options and post back.

Cheers.

It is always something simple hidden in plain site.