Easy Active Directory integration of OMV 5 with PBIS Open

  • Hi all,


    New user to Openmediavault here.


    Been doing some testing recently as I have a Windows file server that I am planning to upgrade after about 11 years of solid service (Down to my last 300 GB free on a 14TB RAID5 array built in 2010) and I want to go from hardware RAID to ZFS storage. (I don't like FreeBSD so TrueNAS is out so I want to go with a Linux based NAS that can do ZFS.)


    I am liking my experience with Openmediavault so far, and it has even got me experimenting with Docker, something I have avoided for a long time as up til now I have normally just spun up a full new VM in VMWare ESXi whenever I have a new service I want to run, but I can see a few use cases for Docker for me now.

    I have built a couple of test servers in VMWare ESXi to test different things and been making good progress.


    The thing that held me up was reliable and easy Active Directory integration.

    I have an Active Directory, Domain Controller running on a Windows 2019 server and I want to keep centralized authentication from that DC.


    I know that subject has been discussed at length before in multiple threads on these forums, and the main two threads that I based my initial experimentation off being

    Guide to OMV 4 Active Directory Integration

    Active Directory / LDAP Revisited


    The older guides in those threads use SSSD, and the newer guides near the end use WindbindD
    While SSSD does work and it will successfully pull users from AD into the Linux PAM and I things like sudo and SSH group settings pulled successfully from AD and displayed in the OMV web interface, I discovered when I want to create some test shares that Samba discontinued support for SSSD in version 4.8.
    And the current version of OMV 5 uses Samba 4.9 so that was a dead end.


    Another guide towards the end of one of those threads uses WinbindD.

    That also works.

    And Samba was happy to use it as well.
    It pulled my groups and users from AD and I could see them in the web interface, settings groups for sudo and SSH access using AD groups also worked.

    However I discovered that WinbindD reliability is a bit hit and miss, especially pulling user updates regularly from AD (eg it took half an hour after I added a user to a group in AD before WindbinD finally updated), and available troubleshooting tools for WinbindD are a bit lacking, lastly it is a rather ancient piece of software.


    Then a mate put me onto PBIS Open as he swears by it because he uses it for Linux server AD integration for literally hundreds of Linux machines at a few companies he contracts for.

    https://github.com/BeyondTrust/pbis-open

    This ended up being by far the easiest of all the AD suggestions I read about to get working.


    Took me about 3 minutes to have the server joined to my domain, and then another 5 minutes to have Samba sharing things using AD users, and 5 more minutes to have sudo and SSH groups working from my domain controller.


    I found the previous guides from those earlier threads, while very well meaning, difficult to follow and took a lot of time for me to get the domain join working.

    And in the case of SSSD I ended up with a wasted effort.


    So I decided I would put something back into the community by writing a guide for easy AD integration using pbis open.

    I will go through the exact steps I took to get pbis open working, and at the bottom I will link the references I used to figure these steps out.


    In my case my domain is - home.local

    The server name for the OMV test server is - omvpbistest

    The domain user I used for the join was - administrator

    However when I setup the final server instead of these test servers I will use a dedicated domain user for this instead of the domain administrator user for the join.



    First install make sure your server is up to date.

    You need to connect to your server via SSH and then sudo to root and then run apt upgrade

    Code
    sudo -i
    apt update && apt upgrade -y


    Next install pbis open.

    Download the latest release from here
    https://github.com/BeyondTrust/pbis-open/releases

    At time of writing this post the current version is 9.1.0 so the command would be

    Code
    wget https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh

    Make the script executible

    Code
    chmod +x ./pbis-open-9.1.0.551.linux.x86_64.deb.sh

    Run the script we made executable just above to install pbis open then change to the pbis open directory

    Code
    cd /opt/pbis/bin/


    Next join to your domain.

    The format of the command is

    domainjoin-cli join [DomainName [DomainAccount]

    in my case the exact command I used was was

    Code
    domainjoin-cli join home.local administrator

    Check your domain join status with the command

    Code
    domainjoin-cli query


    After a short time your users should populate over to your OMV server.
    You can confirm you see your domain users and groups by using the commands

    Code
    getent passwd
    getent group

    Take note of the UID and GID that is being populated from the domain.
    In my case one of the lines returned from that command above was

    Quote

    HOME\administrator:PBIS:HOME\administrator:PBIS:28758694:285846737::/home/local/HOME/administrator:/bin/sh:287246887::/home/local/HOME/administrator:/bin/sh

    The UID's coming from my domain controller are a pretty high number, much higher than the standard Linux UIDs, so you have to edit login.defs so they show up in the OMV web admin.

    Easiest way is to take note of how long the UID numbers are, and just make a number from that.

    eg in my case the UID above is
    28758694

    so the number I went with is (I just matched the number of digits)

    99999999

    Yes I know it is excessive, but it worked.
    There is likely a better way to do this step so I am happy to hear suggestions.


    Edit the file /etc/login.defs with your favourite text file editor. (I use VIM myself)

    Find these 2 lines

    Code
    UID_MAX
    GID_MAX

    Make copies of those 2 lines (In case you ever want the original value in the future) and comment out the copies by adding a # at the beginning of the copied lines.

    Then put in the number you worked out above in the original lines.

    eg

    Code
    UID_MAX 999999999
    GID_MAX 999999999

    Save the file.

    The AD users and groups should now show up in the OMV web admin.
    At worst case it may require a reboot of the server, but I did not require a reboot myself for them to show up.


    Lastly we connect Samba to pbis open so AD auth for Samba shares will work.

    Code
    cd /opt/pbis/bin/
    ./samba-interop-install --check-version
    ./samba-interop-install --install


    In the OMV web admin in the Samba page you change a couple of settings.

    The WORKGROUP setting you change to the base part of your domain.

    In my case for my domain home.local I put in HOME


    And in the extra options window down the bottom I put the following - NOTE you will have to change the "realm", and "netbios name" lines for your own setup.

    Code
    realm = HOME.LOCAL
    security = ADS
    machine password timeout = 0
    netbios name = omvpbistest
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab


    After those steps I could create Samba shares, and assign permissions using the ACL in the "Shared Folders" section of OMV web admin and everything worked as expected.
    I could set Group permissions as well as individual User permissions all pulling authentication from my Domain Controller.

    Side note the username format to use when connecting to a samba share will be your full domain username prefixed with the domain itself - domain\username eg home\administrator


    Lastly for the power users, you may want to enable SSH and SUDO permissions for some domain users.


    I created 2 Domain groups on my domain controller, ssh and sudo

    When I run the command

    Code
    getent group

    They show up in the list like this

    Quote

    HOME\ssh:PBIS:287548640:

    HOME\sudo:PBIS:287348231:

    To enable SSH access for the domain ssh group you edit the file - /etc/ssh/sshd_config

    Find the line - AllowGroups

    and add the group to the end of that line.
    After adding it my line looks like

    Code
    AllowGroups root ssh HOME\ssh

    Save the file and restart the SSH service with the command - service ssh restart


    To enable SUDO access for the domain sudo group you edit the sudoers file using - visudo


    In my example for my own domain I added the lines at the bottom of the file

    Code
    #Allow AD sudo group to sudo
    %HOME\\sudo ALL=(ALL:ALL) ALL

    After those 2 changes I could then login into the OMV server using any domain user that was a member of the - HOME\ssh group

    And I could also run sudo for any user that was ALSO a member of the - HOME\sudo group

    Small note the username to login with for SSH to use will be like Samba, in the format of - domain\username eg home\administrator


    Another small note is on first login the domain user will also get a home directory created in the directory - /home/local/domain_name/username

    I know the location of the automatically generated home directory can be changed if you want it saved on a bulk storage drive, I just can't remember right off the top of my head now how to do it.


    I think that covers it.


    That should be enough to get you started with easy connection of OMV to a Windows Active Directory domain, and have Samba working for pulling authentication for users from that domain, as well as managing group memberships.


    I hope this helps anyone trying to get OMV to play nice with Active Directory.


    References I used when I figured out these steps

    https://linoxide.com/configure-pbis-join-ubuntu-windows-ad/

    https://www.beyondtrust.com/do…bis-linux-admin-8-8-0.pdf

    https://www.beyondtrust.com/do…-administration-guide.pdf

    https://wiki.plecko.hr/doku.ph…ration:samba_ad_pbis_open

    https://askubuntu.com/question…ghts-to-a-ad-domain-group

    https://ostechnix.com/allow-de…ticular-user-group-linux/

  • macom

    Approved the thread.
  • Thank ye gods and little fishes. That was probably the easiest method I've seen to accomplish the task. A small note for SMB with the above however:

    1. Error: ERROR_GEN_FAILURE [code 0x0000001f] will result if you don't allow SMB 2.0 as a minimum protocol
    2. ERROR_ACCESS_DENIED [code 0x00000005] will result if you force Transport Encryption and/or signing (I made both client defined)

    Once I triaged those anomalies on the Synology (Don't call me Active Directory) Directory Server the instructions were flawless and easy. Thanks!

  • Thanks for posting this. Unfortunately from the readme for the project. https://github.com/BeyondTrust…pen/blob/master/README.md "BeyondTrust AD Bridge Open is no longer maintained and will be archived." Not good for future updates.


    I have a question for you if you don't mind. You said "I discovered when I want to create some test shares that Samba discontinued support for SSSD in version 4.8.". Could you point me to a link about that? I am working on getting AD integration working for omv6. I have it working but not happy with it yet. This info might be a big help.

    Thanks

    If you make it idiot proof, somebody will build a better idiot.

  • Thanks for posting this. Unfortunately from the readme for the project. https://github.com/BeyondTrust…pen/blob/master/README.md "BeyondTrust AD Bridge Open is no longer maintained and will be archived." Not good for future updates.


    I have a question for you if you don't mind. You said "I discovered when I want to create some test shares that Samba discontinued support for SSSD in version 4.8.". Could you point me to a link about that? I am working on getting AD integration working for omv6. I have it working but not happy with it yet. This info might be a big help.

    Thanks

    I'd love to help, but alas I'm still working to learn the necessary skills to do the task manually myself. While I got past the errors above I also can't seem to get the share to work properly unless I go through the GUI -- and as you observed, the easy-breezy solution above has issues and is unmaintained for two years. However, the above library did allow me to hook into OMV and the users ... but I'm still trying to figure out how to repeat that fact without the bridge software.

  • My revisited script above worked and continues to work from whatever that date was. Installed a fresh vm and it didn't. I am still using 2012R2 so see if it works on 2019. About all I had to do was add libwbclient-sssd. I added a fixad.sh scrip that can be run if after some update the db gets corrupt. With a bit of luck it will work on OMV6.


    Copied from old post.


    Here is a script that will join an OMV to a windows active directory domain.


    • I always need to fix /etc/nsswitch.conf. Could be done with some sed magic.
    • Setup samba/cifs and add stuff from below to extra options. Again could be done with some sed magic, but probably wouldn't show in web ui.
    • Create Join-ad.sh. nano Join-ad.sh Paste code below into.
    • chmod +x Join-ad.sh
    • Run the script Join-ad.sh ./Join-ad.sh . reboot or try systemctl stop sssd.service && rm /var/lib/sss/db/* && rm /var/log/sssd/* && systemctl start sssd.service
    • Did it work?


    Code

    New script.

    If you make it idiot proof, somebody will build a better idiot.

  • Hi donh ,
    I have followed the instructions in the thread guide-to-omv-4-active-directory-integration

    you participated in.

    I use OMV 5.6.23.1.
    my AD domain is more than 50K users.
    I tried:

    id first.last
    it takes a long time but I get the user information.

    getent passwd first.last
    doesn't return anything

    Then

    getent passwd first.last@domain.tld

    does return information


    then running:

    getent passwd

    shows the local users and the only AD user: first.last


    but I don't see the 50K users...

    Then in the OMV GUI, Users... Loading it takes time and shows communication failure

    Any idea on this ?
    By the way where can I find the script you mentionned ?

    Thanks

  • I have never tried with more than 30 users. My guess is I have maybe disabled caching and maybe that would help in your case. There may be some time limits too for the connection. I will look at it over the weekend and see if I see anything.


    What server version are you trying to connect to?

    If you make it idiot proof, somebody will build a better idiot.

  • Hi,
    the domain level is WS2008R2

    DCs are probably WS2012.
    Is there a way to narrow user account discovery to a specific OU which will reduce a lot the number of users ?

  • Look at this thread. It worked for me.

    Active Directory / LDAP Revisited

    You can limit results in the sssd.conf file.

    # Enumeration is discouraged for performance reasons. # OMV needs True to show users in ui and acl enumerate = True # timeout (integer) #### The default value for this parameter is 10 seconds. # This get the users in range to show in UI and ACL ldap_idmap_range_min = 20000 # ldap_idmap_range_max = 60000 ### Does not seem to work # ### Causes not able to start # If unneeded users or other objects show. # Use "dsquery user -name * " to see on windows with powershell #ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com # ldap_user_search_base = CN=Users,DC=example,DC=com I have not tried the script in some time and there have been changes to samba since. I have tried to get it working on OMV6 but that is not finished yet.

    If you make it idiot proof, somebody will build a better idiot.

  • Hi so I added in sssd.conf:


    ldap_search_base = my domain
    ldap_user_search_base = my user OU

    ldap_group_search_base = my group OU

    ldap_search_timeout = 120

    ldap_enumeration_search_timeout =180


    and in login.defs:

    UID_MAX 999999999
    GID_MAX 999999999


    then getent passwd returns the local users and the 200 AD users remaining after filtering.

    Though OMV GUI still doesn't show the users and return the error (communication failure) after 60 seconds.
    Do you know what OMV is checking the users against and how ?

    does it need a cache, and if so how should I check it ?

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!