Easy Active Directory integration of OMV 5 with PBIS Open

vk2amv · Jun 1st 2021

Hi all,

New user to Openmediavault here.

Been doing some testing recently as I have a Windows file server that I am planning to upgrade after about 11 years of solid service (Down to my last 300 GB free on a 14TB RAID5 array built in 2010) and I want to go from hardware RAID to ZFS storage. (I don't like FreeBSD so TrueNAS is out so I want to go with a Linux based NAS that can do ZFS.)

I am liking my experience with Openmediavault so far, and it has even got me experimenting with Docker, something I have avoided for a long time as up til now I have normally just spun up a full new VM in VMWare ESXi whenever I have a new service I want to run, but I can see a few use cases for Docker for me now.

I have built a couple of test servers in VMWare ESXi to test different things and been making good progress.

The thing that held me up was reliable and easy Active Directory integration.

I have an Active Directory, Domain Controller running on a Windows 2019 server and I want to keep centralized authentication from that DC.

I know that subject has been discussed at length before in multiple threads on these forums, and the main two threads that I based my initial experimentation off being

Guide to OMV 4 Active Directory Integration

Active Directory / LDAP Revisited

The older guides in those threads use SSSD, and the newer guides near the end use WindbindD
While SSSD does work and it will successfully pull users from AD into the Linux PAM and I things like sudo and SSH group settings pulled successfully from AD and displayed in the OMV web interface, I discovered when I want to create some test shares that Samba discontinued support for SSSD in version 4.8.
And the current version of OMV 5 uses Samba 4.9 so that was a dead end.

Another guide towards the end of one of those threads uses WinbindD.

That also works.

And Samba was happy to use it as well.
It pulled my groups and users from AD and I could see them in the web interface, settings groups for sudo and SSH access using AD groups also worked.

However I discovered that WinbindD reliability is a bit hit and miss, especially pulling user updates regularly from AD (eg it took half an hour after I added a user to a group in AD before WindbinD finally updated), and available troubleshooting tools for WinbindD are a bit lacking, lastly it is a rather ancient piece of software.

Then a mate put me onto PBIS Open as he swears by it because he uses it for Linux server AD integration for literally hundreds of Linux machines at a few companies he contracts for.

https://github.com/BeyondTrust/pbis-open

This ended up being by far the easiest of all the AD suggestions I read about to get working.

Took me about 3 minutes to have the server joined to my domain, and then another 5 minutes to have Samba sharing things using AD users, and 5 more minutes to have sudo and SSH groups working from my domain controller.

I found the previous guides from those earlier threads, while very well meaning, difficult to follow and took a lot of time for me to get the domain join working.

And in the case of SSSD I ended up with a wasted effort.

So I decided I would put something back into the community by writing a guide for easy AD integration using pbis open.

I will go through the exact steps I took to get pbis open working, and at the bottom I will link the references I used to figure these steps out.

In my case my domain is - home.local

The server name for the OMV test server is - omvpbistest

The domain user I used for the join was - administrator

However when I setup the final server instead of these test servers I will use a dedicated domain user for this instead of the domain administrator user for the join.

First install make sure your server is up to date.

You need to connect to your server via SSH and then sudo to root and then run apt upgrade

Code

sudo -i
apt update && apt upgrade -y

Next install pbis open.

Download the latest release from here
https://github.com/BeyondTrust/pbis-open/releases

At time of writing this post the current version is 9.1.0 so the command would be

Code

wget https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh

Make the script executible

Code

chmod +x ./pbis-open-9.1.0.551.linux.x86_64.deb.sh

Run the script we made executable just above to install pbis open then change to the pbis open directory

Code

cd /opt/pbis/bin/

Next join to your domain.

The format of the command is

domainjoin-cli join [DomainName [DomainAccount]

in my case the exact command I used was was

Code

domainjoin-cli join home.local administrator

Check your domain join status with the command

Code

domainjoin-cli query

After a short time your users should populate over to your OMV server.
You can confirm you see your domain users and groups by using the commands

Code

getent passwd
getent group

Take note of the UID and GID that is being populated from the domain.
In my case one of the lines returned from that command above was

Quote

HOME\administrator:PBIS:HOME\administrator:PBIS:28758694:285846737::/home/local/HOME/administrator:/bin/sh:287246887::/home/local/HOME/administrator:/bin/sh

The UID's coming from my domain controller are a pretty high number, much higher than the standard Linux UIDs, so you have to edit login.defs so they show up in the OMV web admin.

Easiest way is to take note of how long the UID numbers are, and just make a number from that.

eg in my case the UID above is
28758694

so the number I went with is (I just matched the number of digits)

99999999

Yes I know it is excessive, but it worked.
There is likely a better way to do this step so I am happy to hear suggestions.

Edit the file /etc/login.defs with your favourite text file editor. (I use VIM myself)

Find these 2 lines

Code

UID_MAX
GID_MAX

Make copies of those 2 lines (In case you ever want the original value in the future) and comment out the copies by adding a # at the beginning of the copied lines.

Then put in the number you worked out above in the original lines.

eg

Code

UID_MAX 999999999
GID_MAX 999999999

Save the file.

The AD users and groups should now show up in the OMV web admin.
At worst case it may require a reboot of the server, but I did not require a reboot myself for them to show up.

Lastly we connect Samba to pbis open so AD auth for Samba shares will work.

Code

cd /opt/pbis/bin/
./samba-interop-install --check-version
./samba-interop-install --install

In the OMV web admin in the Samba page you change a couple of settings.

The WORKGROUP setting you change to the base part of your domain.

In my case for my domain home.local I put in HOME

And in the extra options window down the bottom I put the following - NOTE you will have to change the "realm", and "netbios name" lines for your own setup.

Code

realm = HOME.LOCAL
security = ADS
machine password timeout = 0
netbios name = omvpbistest
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab

After those steps I could create Samba shares, and assign permissions using the ACL in the "Shared Folders" section of OMV web admin and everything worked as expected.
I could set Group permissions as well as individual User permissions all pulling authentication from my Domain Controller.

Side note the username format to use when connecting to a samba share will be your full domain username prefixed with the domain itself - domain\username eg home\administrator

Lastly for the power users, you may want to enable SSH and SUDO permissions for some domain users.

I created 2 Domain groups on my domain controller, ssh and sudo

When I run the command

Code

getent group

They show up in the list like this

Quote

HOME\ssh:PBIS:287548640:

HOME\sudo:PBIS:287348231:

To enable SSH access for the domain ssh group you edit the file - /etc/ssh/sshd_config

Find the line - AllowGroups

and add the group to the end of that line.
After adding it my line looks like

Code

AllowGroups root ssh HOME\ssh

Save the file and restart the SSH service with the command - service ssh restart

To enable SUDO access for the domain sudo group you edit the sudoers file using - visudo

In my example for my own domain I added the lines at the bottom of the file

Code

#Allow AD sudo group to sudo
%HOME\\sudo ALL=(ALL:ALL) ALL

After those 2 changes I could then login into the OMV server using any domain user that was a member of the - HOME\ssh group

And I could also run sudo for any user that was ALSO a member of the - HOME\sudo group

Small note the username to login with for SSH to use will be like Samba, in the format of - domain\username eg home\administrator

Another small note is on first login the domain user will also get a home directory created in the directory - /home/local/domain_name/username

I know the location of the automatically generated home directory can be changed if you want it saved on a bulk storage drive, I just can't remember right off the top of my head now how to do it.

I think that covers it.

That should be enough to get you started with easy connection of OMV to a Windows Active Directory domain, and have Samba working for pulling authentication for users from that domain, as well as managing group memberships.

I hope this helps anyone trying to get OMV to play nice with Active Directory.

References I used when I figured out these steps

https://linoxide.com/configure-pbis-join-ubuntu-windows-ad/

https://www.beyondtrust.com/do…bis-linux-admin-8-8-0.pdf

https://www.beyondtrust.com/do…-administration-guide.pdf

https://wiki.plecko.hr/doku.ph…ration:samba_ad_pbis_open

https://askubuntu.com/question…ghts-to-a-ad-domain-group

https://ostechnix.com/allow-de…ticular-user-group-linux/

borland502 · Dec 11th 2021

Thank ye gods and little fishes. That was probably the easiest method I've seen to accomplish the task. A small note for SMB with the above however:

Error: ERROR_GEN_FAILURE [code 0x0000001f] will result if you don't allow SMB 2.0 as a minimum protocol
ERROR_ACCESS_DENIED [code 0x00000005] will result if you force Transport Encryption and/or signing (I made both client defined)

Once I triaged those anomalies on the Synology (Don't call me Active Directory) Directory Server the instructions were flawless and easy. Thanks!

donh · Dec 12th 2021

Thanks for posting this. Unfortunately from the readme for the project. https://github.com/BeyondTrust…pen/blob/master/README.md "BeyondTrust AD Bridge Open is no longer maintained and will be archived." Not good for future updates.

I have a question for you if you don't mind. You said "I discovered when I want to create some test shares that Samba discontinued support for SSSD in version 4.8.". Could you point me to a link about that? I am working on getting AD integration working for omv6. I have it working but not happy with it yet. This info might be a big help.

Thanks

borland502 · Dec 18th 2021

Quote from donh

Thanks for posting this. Unfortunately from the readme for the project. https://github.com/BeyondTrust…pen/blob/master/README.md "BeyondTrust AD Bridge Open is no longer maintained and will be archived." Not good for future updates.

I have a question for you if you don't mind. You said "I discovered when I want to create some test shares that Samba discontinued support for SSSD in version 4.8.". Could you point me to a link about that? I am working on getting AD integration working for omv6. I have it working but not happy with it yet. This info might be a big help.
Thanks

I'd love to help, but alas I'm still working to learn the necessary skills to do the task manually myself. While I got past the errors above I also can't seem to get the share to work properly unless I go through the GUI -- and as you observed, the easy-breezy solution above has issues and is unmaintained for two years. However, the above library did allow me to hook into OMV and the users ... but I'm still trying to figure out how to repeat that fact without the bridge software.

donh · Dec 20th 2021

My revisited script above worked and continues to work from whatever that date was. Installed a fresh vm and it didn't. I am still using 2012R2 so see if it works on 2019. About all I had to do was add libwbclient-sssd. I added a fixad.sh scrip that can be run if after some update the db gets corrupt. With a bit of luck it will work on OMV6.

Copied from old post.

Here is a script that will join an OMV to a windows active directory domain.

I always need to fix /etc/nsswitch.conf. Could be done with some sed magic.
Setup samba/cifs and add stuff from below to extra options. Again could be done with some sed magic, but probably wouldn't show in web ui.
Create Join-ad.sh. nano Join-ad.sh Paste code below into.
chmod +x Join-ad.sh
Run the script Join-ad.sh ./Join-ad.sh . reboot or try systemctl stop sssd.service && rm /var/lib/sss/db/* && rm /var/log/sssd/* && systemctl start sssd.service
Did it work?

Code

### Add below in extra options

### Change server name and realm to match yours

#Extra Options

client signing = yes

client use spnego = yes

kerberos method = secrets and keytab

password server = mustang.example.com

realm = EXAMPLE.COM

security = ads

Display More

New script.

Bash

#!/bin/bash

echo "Make sure date and time are correct."

date

sleep 3

apt-get update
apt-get dist-upgrade


# This script should join OMV 2 threw 5 Debian to an Active Directory domain.
# Adapted from a script here. http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-directory/


if ! $(sudo which sssd 2>/dev/null); then
    apt-get install krb5-user krb5-config sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit libwbclient-sssd
fi 


# Get domain and user


echo "Please enter the domain you wish to join: UPPER CASE?"
read DOMAIN


echo "Please enter a domain admin login to use: "
read ADMIN


# create /sssd.conf


echo "[sssd]
services = nss, pam, pac, ssh
config_file_version = 2
domains = EXAMPLE.COM


[domain/EXAMPLE.COM]
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
#ldap_schema = rfc2307bis
#ldap_schema = ad
ldap_idmap_autorid_compat = True
# Enumeration is discouraged for performance reasons.
# OMV needs True to show users in ui and acl
enumerate = True
# timeout (integer)     #### The default value for this parameter is 10 seconds.
# This get the users in range to show in UI and ACL
ldap_idmap_range_min = 20000
# ldap_idmap_range_max = 60000    ### Does not seem to work 
#                                ### Causes not able to start
# If unneeded users or other objects show.
# Use "dsquery user -name * "  to see on windows with powershell
#ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com
# ldap_user_search_base = CN=Users,DC=example,DC=com
# Use this if users are being logged in at /.  OMV does this. Otherwise not tested
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
#override_homedir = /home/%u
#ldap_user_email = email  # Could this fill the email field? might not be in this version
#ldap_user_search_base = dc=example,dc=com
#ldap_group_search_base = dc=example,dc=com
#ldap_user_object_class = user
#ldap_user_name = sAMAccountName
#ldap_user_fullname = displayName                ### Seems to be maps to comment in OMV?
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName
#ldap_group_object_class = group
#ldap_group_name = sAMAccountName                ### Seems to be maps to Name in OMV?
# Unused options
#ldap_idmap_default_domain = example.com
#ldap_id_mapping = True
#default_domain_suffix = example.com
#ldap_access_order = expire
#ldap_account_expire_policy = ad
#ldap_force_upper_case_realm = true
#ldap_user_search_base = dc=example,dc=com
#ldap_group_search_base = dc=example,dc=com
#ldap_user_object_class = user
#ldap_user_name = sAMAccountName
#ldap_user_fullname = displayName
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName
#ldap_group_object_class = group
#ldap_group_name = sAMAccountName
# ldap_id_mapping = True
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = mymachine.EXAMPLE.com
# Uncomment if DNS SRV resolution is not working
# ad_server = dc.mydomain.example.com
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = EXAMPLE.COM
# filter_groups = 
# For other options see "man sssd.conf"
# https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/" > /etc/sssd/sssd.conf


# Fix permisions


chmod 0600 /etc/sssd/sssd.conf


sed -i 's/EXAMPLE.COM/'"$DOMAIN"'/g' /etc/sssd/sssd.conf


# TODO
# Add test to see if $DOMAIN passes dns tests
# Add test to see if $DOMAIN passes krb5.conf tests


echo "If join fails please check /etc/nsswitch.conf and /etc/krb5.conf"


# Join domain


kinit $ADMIN
net ads join -k

### create fixad.sh

echo "#!/bin/bash
systemctl stop sssd.service
rm /var/lib/sss/db/*
systemctl start sssd.service" > /root/fixad.sh
chmod +x /root/fixad.sh
/root/fixad.sh

echo "Please reboot"

exit

Display More

kitru870 · Jan 14th 2022

Hi donh ,
I have followed the instructions in the thread guide-to-omv-4-active-directory-integration

you participated in.

I use OMV 5.6.23.1.
my AD domain is more than 50K users.
I tried:

id first.last
it takes a long time but I get the user information.

getent passwd first.last
doesn't return anything

Then

getent passwd first.last@domain.tld

does return information

then running:

getent passwd

shows the local users and the only AD user: first.last

but I don't see the 50K users...

Then in the OMV GUI, Users... Loading it takes time and shows communication failure

Any idea on this ?
By the way where can I find the script you mentionned ?

Thanks

donh · Jan 14th 2022

I have never tried with more than 30 users. My guess is I have maybe disabled caching and maybe that would help in your case. There may be some time limits too for the connection. I will look at it over the weekend and see if I see anything.

What server version are you trying to connect to?

kitru870 · Jan 17th 2022

Hi,
the domain level is WS2008R2

DCs are probably WS2012.
Is there a way to narrow user account discovery to a specific OU which will reduce a lot the number of users ?

donh · Jan 17th 2022

Look at this thread. It worked for me.

Active Directory / LDAP Revisited

You can limit results in the sssd.conf file.

# Enumeration is discouraged for performance reasons. # OMV needs True to show users in ui and acl enumerate = True # timeout (integer) #### The default value for this parameter is 10 seconds. # This get the users in range to show in UI and ACL ldap_idmap_range_min = 20000 # ldap_idmap_range_max = 60000 ### Does not seem to work # ### Causes not able to start # If unneeded users or other objects show. # Use "dsquery user -name * " to see on windows with powershell #ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com # ldap_user_search_base = CN=Users,DC=example,DC=com I have not tried the script in some time and there have been changes to samba since. I have tried to get it working on OMV6 but that is not finished yet.

kitru870 · Jan 19th 2022

Hi so I added in sssd.conf:

ldap_search_base = my domain
ldap_user_search_base = my user OU

ldap_group_search_base = my group OU

ldap_search_timeout = 120

ldap_enumeration_search_timeout =180

and in login.defs:

UID_MAX 999999999
GID_MAX 999999999

then getent passwd returns the local users and the 200 AD users remaining after filtering.

Though OMV GUI still doesn't show the users and return the error (communication failure) after 60 seconds.
Do you know what OMV is checking the users against and how ?

does it need a cache, and if so how should I check it ?

jodumont · Mar 28th 2022

Quote from vk2amv

I don't like FreeBSD so TrueNAS is out so I want to go with a Linux based NAS that can do ZF

I know this is quite an old post, but now TrueNas SCALE is based on Debian

Easy Active Directory integration of OMV 5 with PBIS Open

macom Jun 1st 2021

Participate now!

Tags