OMV 6.X (RC1) Active Directory

donh · Mar 4th 2022

This is for OMV6. Here is a newer version for OMV7.

Post

OMV7 beta +Active Directory

This is beta. Use at your risk. I did it in a proxmox 8 vm. I take snapshots after a few steps so if it doesn't work I can rollback.

This is basicly the same as the this post.
forum.openmediavault.org/index.php?thread/42307/More detail there for other AD etc.

Install debian 12 as minimal as possible. Be sure to put in your domain.
If network is not working use "omv-firstaid" to fix.
Allow ssh
update to current
Install OMV.
forum.openmediavault.org/index…&postID=371929#post371929apt install dnsutils…

donh

Dec 12th 2023

Both seem to be working but read the whole thread because others have contributed to them.

Thanks

Update:

This seems to be working fine and surviving updates. There is some info about ftp and ssh in the 8th post. Thanks to WiiFriik for that. Please read the whole thread before trying this. There are a few recommendations for other servers.

For freeipa AD see RE: OMV 6.X (RC1) Active Directory . Thanks MacroMars

Feedback welcome.

If anybody can write a plugin that would be welcome.

This is early so try at your own risk. It works with my 2012r2 server. That is all I have to test against. Hopefully it work with other AD servers. No idea if this will work on other than x86 hardware or vm. See post 14 below for samba ad controller. Thanks.

The goal is to only use debian packages and do as little manipulation as possible. I wanted to do it with sssd only and not include winbind but could not get it to work. Adding winbind later seems to be necessary or realm will use winbind and I was not able to get it working that way.

This is my notes and I hope the format is readable. I use ssh as root to enter the commands. I think the order is important but some of the apt commands can probably be combined.

#######

Domain = example.com

There are two domain controllers = dc1,dc2 both are also dns

#######

Clean install of 6.0-34 iso

Might work for existing install but not tested

Be sure to set domain name

root@omvad3:~# apt update

root@omvad3:~# apt dist-upgrade

Could be done in web ui. Not tested

reboot to run new kernel

In web ui apply the changes

Be sure these are correct

If you use dhcp it may be ok but check these!

Set ntp to domain time server and time zone

If more than one use coma separator and no spaces

Set network to static and domain dns servers

root@omvad3:~# apt install realmd policykit-1

Will install some dependencies too

root@omvad3:~# realm discover example.com

Should give details including "client-software: sssd"

root@omvad3:~# apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit-tools

Will install some deoendancies too

root@omvad3:~# realm join example.com -U donadmin

root@omvad3:~# systemctl status sssd

Should report "Active: active (running)"

root@omvad3:~# apt install libsss-simpleifp0 libsss-sudo

root@omvad3:~# sssctl domain-list

Should show your domain

root@omvad3:~# id donadmin@example.com

Should show info about user

root@omvad3:~# sssctl domain-status example.com

Should show info about domain

Online status: Online

Active servers:

AD Global Catalog: dc1.example.com

AD Domain Controller: dc1.example.com

Discovered AD Global Catalog servers:

- dc1.example.com

- dc2.example.com

Discovered AD Domain Controller servers:

- dc1.example.com

- dc2.example.com

In the web ui setup SMB/CIFS

Set workgroup in capital letters

Home directories not tested but might work

Can be added later

In extra options set this

security = ads

kerberos method = secrets and keytab

realm = EXAMPLE.COM

winbind enum users = yes

winbind enum groups = yes

# Default ID mapping configuration using the rid

# idmap backend. This will work out of the box for simple setups

# as well as complex setups with trusted domains.

idmap config * : backend = tdb

idmap config * : range = 3000-7999

idmap config EXAMPLE : backend = rid

idmap config EXAMPLE : range = 10000-9999999

winbind use default domain = yes

root@omvad3:~# apt install winbind libsss-sudo libnss-winbind libpam-winbind libwbclient0

root@omvad3:~# cp /etc/nsswitch.conf /etc/nsswitch.conf.bak

root@omvad3:~# nano /etc/nsswitch.conf

Change these two lines

passwd: files sss

group: files sss

to

passwd: files winbind

group: files winbind

root@omvad3:~# "net rpc join -U donadmin" or "net ads join -U donadmin"

root@omvad3:~# reboot #May not be needed

####

Users and Groups from the domain should show in the web ui now

Create a share and you should be able to add acl as needed

Suggestions and other input welcome.

Good luck

Thanks

forum.openmediavault.org/wsc/index.php?attachment/23679/

FYI

System Information
Hostname
omvad3.jhcopiers.com

Version
6.0.15-1 (Shaitan)

Processor
AMD Opteron(tm) Processor 6366 HE

Kernel
Linux 5.15.0-0.bpo.3-amd64

System time
3/4/2022, 11:51:48 AM

Uptime
an hour

donh · Mar 4th 2022

I think OMV may not restart winbind when it may be needed so if things get wonky after applying something. I wrote a small script to restart and clear the ad db. Not sure if there might be others but this has worked so far.

Update 3/23: apt install needrestart may be enough. Also please check for ls -la /etc/krb5.keytab. It may be getting modified by some updates. Joining the network might fix this. net join -U donadmin

nano Fix-ad.sh

#!/bin/bash

systemctl stop sssd smbd nmbd winbind

rm /var/lib/sss/db/*

systemctl start sssd smbd nmbd winbind

exit 0

chmod +x Fix-ad.sh

./Fix-ad.sh

donh · Mar 11th 2022

Small update to the first post to fix some startup errors.

I think it is running good enough and would encourage others to try it and let us know how it goes.

First ftp causes slow boot. So if not using it.

services ftp enable

save and apply

service ftp disable

save and apply

Post

RE: FTP is running although deactivated

Why is proftp running by default? If you enable then disable it does stop starting it. And OMV boots much quicker.
Before
root@omv6:~# systemd-analyze blame
1min 9.688s openmediavault-issue.service
41.205s sssd.service
38.265s proftpd.service
29.406s php7.4-fpm.service
21.910s nmbd.service
After
root@omv6:~# systemd-analyze blame
9.457s openmediavault-issue.service
1.614s sssd.service
1.432s systemd-journal-flush.service
901ms dev-sdb1.device
510ms php7.4-fpm.service
438ms…

donh

Mar 11th 2022

I think this can be done after finishing the first post. But could also be done after joining the domain once the sssd.conf file is generated.

nano /etc/sssd/sssd.conf

On the line that reads "services = " delete pam, nss and save. This should eliminate some errors on startup. I still see one about nfs but it seems harmless and could not find an easy answer.

donh · Mar 21st 2022

Well I only see one person who has tried this so maybe nobody cares. It worked for him.

Thread

OMV6 + Active Directory

Hi everyone. Im new and would like to set up a OMV server with Active Directory, so i can share files with AD users and groups. Is there a guide for that?
Thanks!
Leandro

lmonasterio-undav

Mar 12th 2022

It has been working well but it does not get much use so it is nice to see it works for a few hundred users.

It would be nice to hear if it works with other os's. Or how others are doing it.

Anyway one more little tweak to clean the logs up. Add this to the smb extra options.

server services = +winbind

donh · Mar 24th 2022

There is a change coming that may affect AD.

Post

RE: OMV6 + Active Directory

[…]

Thanks @donh ! systemctl status sssd smbd nmbd winbind was all ok before the script, but i couldnt see the users anyway.
I run the script and now i can see the users without restarting. After that, systemctl status sssd smbd nmbd winbind is ok again.

lmonasterio-undav

Mar 22nd 2022

WiiFriik · May 6th 2022

Thanks for the description, it was really easy to follow also for a non-expert like me. Loging in vs. samba is working well for domain users, also the NFS shares for my mediaplayer are working like before with OMV 5. But I encounter some problems, which are surely caused by my missing knowledge abbout that stuff.

Here are my open topics:

Logging in via ssh for domain users iss not working (putty simply is crashing when I try that, using root user is working). I entered the following line in ssh extra options - "AllowGroups root ssh "domänen-benutzer"", because german domain.
Logging on to FTP (using FTP rush) is not working for domain users but for root user - I always get the error "Login incorrect" when trying with a domain user. I used this already with OMV 5 integrated in a AD, which was working fine.
I activated the "home directories" option in samba, then a folder "homes" is visible, but empty. I entred the location of my user directories in the samba extra options. Then they also visible (folder "homes" also), but not accessible (would be an ACL problem I think).

I think these problems aare causing smiles in your faces, because they are probably simple to fix, but as I wrote in the beginning I'm no expert, I think noob is beter classification for my skills with linux and OMV stuff.

Would be nice if you or someone else has the idea(s) and the time to help me in this cases.

Finally I want to say, that I really appreciate all the work which is done here and the help which is given in this forum. Please excuse, If my problems are already solved in other posts in this forum and I havn't found them.

donh · May 7th 2022

Thanks for testing. What AD are you connecting to?

Quote from WiiFriik

Thanks for the description, it was really easy to follow also for a non-expert like me. Loging in vs. samba is working well for domain users, also the NFS shares for my mediaplayer are working like before with OMV 5. But I encounter some problems, which are surely caused by my missing knowledge abbout that stuff.

Here are my open topics:
Logging in via ssh for domain users iss not working (putty simply is crashing when I try that, using root user is working). I entered the following line in ssh extra options - "AllowGroups root ssh "domänen-benutzer"", because german domain.
Logging on to FTP (using FTP rush) is not working for domain users but for root user - I always get the error "Login incorrect" when trying with a domain user. I used this already with OMV 5 integrated in a AD, which was working fine.
I activated the "home directories" option in samba, then a folder "homes" is visible, but empty. I entred the location of my user directories in the samba extra options. Then they also visible (folder "homes" also), but not accessible (would be an ACL problem I think).
I think these problems aare causing smiles in your faces, because they are probably simple to fix, but as I wrote in the beginning I'm no expert, I think noob is beter classification for my skills with linux and OMV stuff.

Would be nice if you or someone else has the idea(s) and the time to help me in this cases.

Finally I want to say, that I really appreciate all the work which is done here and the help which is given in this forum. Please excuse, If my problems are already solved in other posts in this forum and I havn't found them.

Display More

My goal was only to connect only to AD for authentication of samba. That is why you see the above. I have not used the other services for years. That said it should not be too hard to get them working. The users and groups are showing up with getent passwd and getent group and I think that is where OMV gets them from for the web ui. So I would think you should be able to create a share and assign groups and or users to it.

Not sure why you want users ssh ing to OMV. But from the ssh settings page. Users must be assigned to the ssh group to be able to log in via SSH. So I guess you would need to create an "ssh user" in AD. Look at man sssd.conf there is some stuff about ssh service I think.

Also I didn't try to manage AD from OMV.

Please add what you learn so we can all learn also.

PS: As you search you will find that even many experienced users are noobs at AD. Learn and share.

WiiFriik · May 10th 2022

Hello, I 'm using a Windows Server 2012 R2 as domain controller.

Finally I've got everything working, and here is what I've done in case of my questions in post #6:

Home directories
- First step is making a shared folder (location of user files), this folder must not be integrated into any service, just be present.
- In "Users" section of OMV activate "Home directories" under settingd and choose the shared folder.
- In "SMB/CIFS" section of services on the settings page enter two lines in "Extra Options":
- template shell = /bin/bash (This line also is relevant for SSH login and FTP login)
- template homedir = /srv/dev-disk-by-uuid-xxxxxxxxx-xxxx-xxx-xxxx-xxxxxxxxxxxxx/Folder-Name/%U
(This is the complete path to the user home directories, for each user a folder must be present (named like the user))

After accepting the changes, the user folder should be visible as shared folder when connecting via samba with OMV.
If you want to automatically create a folder for the users on first logon in OMV, then maybe this post can be a help Guide how to join OpenMediaVault 3.x in an Active Directory domain, look in the "Enable mkhomedir" section.
Logging in with Domain-Users via SSH
- Just enter the group which should have acces via SSH in "Extra Options" of SSH service, like Allowgroups "domain users" ssh.
- After accepting the changes in OMV WEB-UI it should be possible to login via ssh with domain users (or admins or...).
Login via FTP using a domain user.
- When points 1 and 2 are done, also FTP login should work without problems. It is not neccessary to perform additional actions.
- in /etc/pam.d/common-account add the line "account sufficient pam_winbind.so"
- in /etc/pam.d/common-auth add the line "auth sufficient pam_winbind.so"

This is just an update how I solved the problem for me.

donh · May 10th 2022

Thanks for the update.

So far I only see three of us using AD. All 2012R2. Is anybody using other version?

WiiFriik · May 10th 2022

~~I had to edit point 3 in my previous post #8.~~

~~I believed that there was nothing else neccessary, because the FTP login worked for a domain user. It was also visible in the system log of ftp.~~

~~Seems that it was a random event, because I was not able to reproduce it.~~

~~After adding the two lines in the pam.d config files, it is working.~~

I edited my post #8, because point 3 was not correct.

RockOMV · Jul 25th 2022

Hello I am not an expert and also am from germany like WiiFriik

@donh Thank you for your guide.

In my homelab I have Windows Server 2019 and I successfully installed OMV6 (multiple times actually on VM’s for testing 😊) and added those to AD.

I have several questions, though.

If I add multiple DNS servers in (web ui (Home → Network → Interfaces))

I see this comment in my /etc/resolv.conf

Code: /etc/resolv.conf

nameserver <domain IP>
nameserver 1.1.1.1
nameserver 1.0.0.1
# Too many DNS servers configured, the following entries may be ignored.
nameserver 9.9.9.9
nameserver 8.8.8.8
nameserver 8.8.4.4
search <my domain>

Q1. should I change that?

During the installation(which apperently ends succesfully) of apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit-tools

I see this among the Output:

Code

Creating SSSD system user & group...
(2022-07-24 21:31:17:670474): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:670566): [sss_cache] [init_domains] (0x0020): Could not initialize domains
(2022-07-24 21:31:17:682668): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:682816): [sss_cache] [init_domains] (0x0020): Could not initialize domains
(2022-07-24 21:31:17:725873): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:725956): [sss_cache] [init_domains] (0x0020): Could not initialize domains
(2022-07-24 21:31:17:738196): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:738490): [sss_cache] [init_domains] (0x0020): Could not initialize domains
(2022-07-24 21:31:17:758892): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:759003): [sss_cache] [init_domains] (0x0020): Could not initialize domains
(2022-07-24 21:31:17:771160): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:771274): [sss_cache] [init_domains] (0x0020): Could not initialize domains
(2022-07-24 21:31:17:792910): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:793000): [sss_cache] [init_domains] (0x0020): Could not initialize domains
(2022-07-24 21:31:17:815151): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:815258): [sss_cache] [init_domains] (0x0020): Could not initialize domains
(2022-07-24 21:31:17:826630): [sss_cache] [confdb_get_enabled_domain_list] (0x0040): Failed to get [domains] from [sssd], error [2] (No such file or directory)
(2022-07-24 21:31:17:826707): [sss_cache] [init_domains] (0x0020): Could not initialize domains

Display More

Q2. should I ignore this? Also do i need to install samba-common-bin? Or can I skip it?

I found other guides where they also add this:

Code: /etc/sssd/sssd.conf

override_homedir = /home/%u@%d
ad_gpo_access_control = permissive

and also change UID_MAX and GID_MAX in

Code: /etc/login.defs

UID_MIN                  1000
UID_MAX                 999999999
# System accounts
#SYS_UID_MIN              100
#SYS_UID_MAX              999
 
 
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN                  1000
GID_MAX                 999999999

Display More

Q3. should I also ignore this? It's working without those changes.

During my multiple OMV installations I sometimes encountered weird outputs with sssctl domain-status <mydomain>

somtimes like this:

Code

Online status: Online
 
Active servers:
AD Global Catalog: <dc.mydomain>
AD Domain Controller: <dc.mydomain>
 
Discovered AD Global Catalog servers:
- <dc.mydomain>
 
Discovered AD Domain Controller servers:
- <dc.mydomain>

Display More

and somtimes like this (which is also my current output):

Code

Online status: Online
 
Active servers:
AD Global Catalog: not connected
AD Domain Controller: <dc.mydomain>
 
Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- <dc.mydomain>

I have no idea why.

Q4. should I be concerned?

Also instead of net rpc join -U donadmin I used net ads join -U donadmin because I read somewhere that rpc is used to join NT4 domain host.

Also my output of systemctl status nmbd winbind

Code

● nmbd.service - Samba NMB Daemon
     Loaded: loaded (/lib/systemd/system/nmbd.service; disabled; vendor preset: enabled)
     Active: inactive (dead)
       Docs: man:nmbd(8)
             man:samba(7)
             man:smb.conf(5)

● winbind.service - Samba Winbind Daemon
     Loaded: loaded (/lib/systemd/system/winbind.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-07-25 09:10:47 CEST; 7h ago
       Docs: man:winbindd(8)
             man:samba(7)
             man:smb.conf(5)
   Main PID: 634 (winbindd)
     Status: "winbindd: ready to serve connections..."
      Tasks: 5 (limit: 4633)
     Memory: 24.4M
        CPU: 1.256s
     CGroup: /system.slice/winbind.service
             ├─634 /usr/sbin/winbindd --foreground --no-process-group
             ├─724 winbindd: domain child [OMV6]
             ├─727 winbindd: domain child [<DOMAIN>]
             ├─733 winbindd: idmap child
             └─982 winbindd: domain child [BUILTIN]

Jul 25 09:10:46 omv6 systemd[1]: Starting Samba Winbind Daemon...
Jul 25 09:10:47 omv6 winbindd[634]: [2022/07/25 09:10:47.298008,  0] ../../source3/winbindd/winbindd_cache.c:3203(initialize_winbindd_cache)
Jul 25 09:10:47 omv6 winbindd[634]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Jul 25 09:10:47 omv6 systemd[1]: Started Samba Winbind Daemon.
Jul 25 09:10:47 omv6 winbindd[634]: [2022/07/25 09:10:47.317133,  0] ../../lib/util/become_daemon.c:135(daemon_ready)
Jul 25 09:10:47 omv6 winbindd[634]:   daemon_ready: daemon 'winbindd' finished starting up and ready to serve connections
Jul 25 09:10:47 omv6 winbindd[724]: [2022/07/25 09:10:47.326284,  0] ../../source3/winbindd/winbindd_cm.c:1873(wb_open_internal_pipe)
Jul 25 09:10:47 omv6 winbindd[724]:   open_internal_pipe: Could not connect to dssetup pipe: NT_STATUS_RPC_INTERFACE_NOT_FOUND
Jul 25 09:10:47 omv6 winbindd[724]: [2022/07/25 09:10:47.331477,  0] ../../source3/rpc_server/rpc_ncacn_np.c:454(rpcint_dispatch)
Jul 25 09:10:47 omv6 winbindd[724]:   rpcint_dispatch: DCE/RPC fault in call lsarpc:2E - DCERPC_NCA_S_OP_RNG_ERROR

Display More

Q5. what does mbd.service do? And should it be active?

Q6. Should I ignore those errors in winbind.service?

Also during booting my OMV shortly shows this:

Q7. should I also ignore this?

I really appreciate your guide.

donh · Jul 26th 2022

Thanks for testing.

Q1: AD depends heavily on dns. Make sure your local names resolve properly.

nslookup somename.yourdomain.com yourdnsip

Q2: I installed samba-common-bin and seem to remember it was a dependency. But I am not sure. I think the errors during install of sssd are because there is no sssd.conf so it can't start.

Q3: There are many options in sssd.conf. I only did as much as I needed to get it to work for me. Add whatever you need for you situation. I didn't need to edit login.defs but have had to in the past. Maybe due to server version?

Will look more later.

donh · Jul 26th 2022

Q4: If it is working don't worry about it. There is a command I can't remember that will populate those. Maybe

this. id donadmin@example.com

Q5: mbd.service? nmbd is a way to resolve windows names. 2019 may not need it but it is installed by winbind I think.

Q6: I don't know those errors.

Q7: See the 3rd post.

If you find anything else let us know.

Thanks

phiku · Oct 20th 2022

Hey,

really a greate Job! Its working perfect with my two ubuntu SAMBA4 AD-Controller Version 4.16.4. and 4.15.9

Only the join was not working with rpc but with "net ads join -U donadmin"

After a restart all users and groups are visible at the web interface of my OMV Version 6.0.44-1 on a raspi4

Also kerberos is working open shares with my mac and windows machines.

Great Joob, thanks for sharing.

greetings phiku

donh · Oct 20th 2022

Thanks for your report.

mathaetaes · Oct 24th 2022

So this was incredibly helpful, and has been working for me for a while now. All of a sudden, though, it appears as though I've fallen out of the domain somehow and I can't get my machine to rejoin.

id <user>@<domain> returns nothing. I don't see my domain users when I do a getent passwd, and no domain groups when I do a getent groups.

All SMB connection attempts to shares that don't allow guest access are immediately rejected; attempts to connect to shares that do allow guests still works.

I don't even know how to begin troubleshooting this... but here's what I can see so far:

Code

root@nas1:~# net ads status
ads_find_dc: no realm or workgroup!  Don't know what to do
Enter root's password:
ads_find_dc: no realm or workgroup!  Don't know what to do
ads_find_dc: no realm or workgroup!  Don't know what to do
ads_find_dc: no realm or workgroup!  Don't know what to do

Code

root@nas1:~# sssctl domain-status <my.domain>
Online status: Online


Active servers:
AD Global Catalog: not connected
AD Domain Controller: dc1.<my.domain>


Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- dc1.<my.domain>

Display More

Code

root@nas1:~# sssctl domain-list
<my.domain>

journalctl --unit=winbind shows a *ton* of errors. Like, multiple every second. The ones that look relevant are:

Code

Oct 21 20:44:08 nas1 winbindd[768]:   SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
Oct 21 20:44:08 nas1 winbindd[768]: [2022/10/21 20:44:08.361907,  1] ../../source3/winbindd/winbindd_cm.c:1163(cm_prepare_connection)
Oct 21 20:44:08 nas1 winbindd[768]:   authenticated session setup to dc1.<my.domain> using <DOMAIN>\NAS1$ failed with NT_STATUS_LOGON_FAILURE
Oct 21 20:44:08 nas1 winbindd[768]: [2022/10/21 20:44:08.362068,  3] ../../source3/winbindd/winbindd_cm.c:673(cm_get_ipc_userpass)
Oct 21 20:44:08 nas1 winbindd[768]:   cm_get_ipc_userpass: No auth-user defined
Oct 21 20:44:08 nas1 winbindd[768]: [2022/10/21 20:44:08.362173,  3] ../../source3/winbindd/winbindd_cm.c:673(cm_get_ipc_userpass)
Oct 21 20:44:08 nas1 winbindd[768]:   cm_get_ipc_userpass: No auth-user defined
Oct 21 20:44:08 nas1 winbindd[768]: [2022/10/21 20:44:08.362381,  1] ../../source3/winbindd/winbindd_cm.c:1309(cm_prepare_connection)
Oct 21 20:44:08 nas1 winbindd[768]:   Failed to prepare SMB connection to dc1.<my.domain>: NT_STATUS_LOGON_FAILURE

I've tried the fixAD script, tried rebooting, tried leaving the domain and re-joining. So far, nothing seems to work.

Does anyone have any ideas?

Update: looks like winbind isn't always starting, and when it fails, it's failing to connect to EXAMPLE. I don't know where this is set, but it's clearly wrong...

Code

root@nas1:/var/log/sssd# systemctl status winbind
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/lib/systemd/system/winbind.service; disabled; vendor preset: enabled)
Active: active (running) since Sun 2022-10-23 20:12:55 PDT; 2s ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 5357 (winbindd)
Status: "winbindd: ready to serve connections..."
Tasks: 2 (limit: 18460)
Memory: 4.0M
CPU: 102ms
CGroup: /system.slice/winbind.service
├─5357 /usr/sbin/winbindd --foreground --no-process-group
└─5359 winbindd: domain child [NAS1]


Oct 23 20:12:55 nas1 winbindd[5359]: [2022/10/23 20:12:55.794553,  3] ../../source3/winbindd/winbindd_rpc.c:281(rpc_name_to_sid)
Oct 23 20:12:55 nas1 winbindd[5359]:   name_to_sid: EXAMPLE for domain EXAMPLE
Oct 23 20:12:55 nas1 winbindd[5359]: [2022/10/23 20:12:55.795943,  2] ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid)
Oct 23 20:12:55 nas1 winbindd[5359]:   name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
Oct 23 20:12:55 nas1 winbindd[5359]: [2022/10/23 20:12:55.796239,  3] ../../source3/winbindd/winbindd_rpc.c:281(rpc_name_to_sid)
Oct 23 20:12:55 nas1 winbindd[5359]:   name_to_sid: EXAMPLE for domain EXAMPLE
Oct 23 20:12:55 nas1 winbindd[5359]: [2022/10/23 20:12:55.796521,  2] ../../source3/winbindd/winbindd_rpc.c:300(rpc_name_to_sid)
Oct 23 20:12:55 nas1 winbindd[5359]:   name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED
Oct 23 20:12:55 nas1 winbindd[5357]: [2022/10/23 20:12:55.796683,  0] ../../source3/winbindd/winbindd_idmap.c:387(wb_parent_idmap_setup_lookupname_done)
Oct 23 20:12:55 nas1 winbindd[5357]:   wb_parent_idmap_setup_lookupname_done: Lookup domain name 'example' failed 'NT_STATUS_NONE_MAPPED'

Display More

also, sssctl seems to confirm authentication failure, but it also confirms that it can get some info from the domain.

Code

root@nas1:/var/log/sssd# sssctl user-checks <user>@<my.domain>
user: <user>@<my.domain>
action: acct
service: system-auth


SSSD nss user lookup result:
- user name: <user>@<my.domain>
- user id: 117xxxxxxx
- group id: 117xxxxxxx
- gecos: <my name>
- home directory: /home/<user>@<my.domain>
- shell: /bin/bash


SSSD InfoPipe user lookup result:
- name: <user>@<my.domain>
- uidNumber: 117xxxxxxx
- gidNumber: 117xxxxxxx
- gecos: <my name>
- homeDirectory: not set
- loginShell: not set


testing pam_acct_mgmt


pam_acct_mgmt: Authentication failure


PAM Environment:
- no env -

Display More

donh · Oct 24th 2022

What type ad server? Did you update anything? Like auto updates maybe.

First thing I would do on omv is nslookup your ad server.

If that works try to join the domain. Either net rpc join -U user or net ads join -U user.

There are more options too.

Code

root@omvad3:~# net help join
net ads join [--no-dns-updates] [options]
Valid options:
   dnshostname=FQDN      Set the dnsHostName attribute during the join.
                         The default is in the form netbiosname.dnsdomain
   createupn[=UPN]       Set the userPrincipalName attribute during the join.
                         The default UPN is in the form host/netbiosname@REALM.
   createcomputer=OU     Precreate the computer account in a specific OU.
                         The OU string read from top to bottom without RDNs
                         and delimited by a '/'.
                         E.g. "createcomputer=Computers/Servers/Unix"
                         NB: A backslash '\' is used as escape at multiple
                             levels and may need to be doubled or even
                             quadrupled. It is not used as a separator.
   machinepass=PASS      Set the machine password to a specific value during
                         the join. The default password is random.
   osName=string         Set the operatingSystem attribute during the join.
   osVer=string          Set the operatingSystemVersion attribute during join.
                         NB: osName and osVer must be specified together for
                             either to take effect. The operatingSystemService
                             attribute is then also set along with the two
                             other attributes.
   osServicePack=string  Set the operatingSystemServicePack attribute
                         during the join.
                         NB: If not specified then by default the samba
                             version string is used instead.
ADS join did not work, falling back to RPC...
Usage:
net rpc join -U <username>[%%password] <type>
  Join a domain
    username    Name of the admin user    password    Password of the admin user, will prompt if not specified
    type    Can be one of the following:
        MEMBER    Join as member server (default)
        BDC    Join as BDC
        PDC    Join as PDC

Display More

mathaetaes · Oct 25th 2022

Thanks for the fast reply, donh!

tl:dr: Your reply was enough to get me to my answer. I needed to set the following in /etc/samba/smb.conf:

Code

security = ads #(had previously been set to user)
realm = MY.DOMAIN #( my full domain name, in all caps. e.g., after the @ when logging in with user@my.domain. Was previously not set at all)
workgroup = DOMAIN #(The workgroup version of the domain name... i.e everything before the slash when logging in using with domain\user)

I don't know how it ever worked before... if I had it set correctly and something reverted my settings (like a package update or a fat finger maybe? no idea). I don't remember setting them... so either one of my updates broke it, or the setting somehow reverted.

Posting everything I ran into and what solved it so the next person (or future me, when I run into this again) knows what to do.

First, try to net join:

Code

root@nas1:~# net rpc join -U administrator
cannot join as standalone machine

root@nas1:~# net ads join -U administrator
Host is not configured as a member server.
Invalid configuration.  Exiting....
Failed to join domain: This operation is only allowed for the PDC of the domain.

Found this article that indicated I needed to set security = ads in /etc/samba/smb.conf: https://access.redhat.com/discussions/2017983 . Set security = ads, bounced smbd, and tried again:

Code

root@nas1:/etc/samba# net ads join -U administrator
realm must be set in in /etc/samba/smb.conf for ADS join to succeed.
Invalid configuration.  Exiting....
Failed to join domain: The parameter is incorrect.

Google got me closer: https://www.linuxquestions.org…-a-windows-domain-117896/ . Apparently there's a realm variable that I need to add in smb.conf.

I set realm = MY.DOMAIN, bounced smbd tried again:

Code

net ads join -U administrator
Enter administrator's password:
Failed to join domain: Invalid configuration ("workgroup" set to 'WORKGROUP', should be 'DOMAIN') and configuration modification was not requested

Google again, turns out there's a workgroup variable that I was missing.

I set workgroup = DOMAIN, bounced smbd, tried again:

Code

root@nas1:/etc/samba# net ads join -U administrator
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'OMV' to dns domain 'my.domain'

Looks like it worked! So I test it with id user@my.domain. Nothing found.

systemctl restart winbind, then try the id command again. This time I get user info.

Test accessing it from a domain-joined machine, and it's working as expected now.

Thanks again so much for the help. It was just the push I needed.

donh · Oct 25th 2022

Thanks for updating with your solution. For the record what ad server are you connecting to?

Krisbee · Nov 1st 2022

donh It’s years since I’ve touched anything to do with domain controllers, but I seem to remember configs for joining AD-DC either used SSSD or winbind, rather than both. Did you ever try using winbind alone, or is that not possible?

I was looking at this example https://www.server-world.info/…?os=Debian_11&p=samba&f=4

and noticed “systemd” had been added to /etc/nsswitch.conf, I believe this relates to systems like OMV6 that use the systemd-resolved.service. For some reason “systemd” is missing from /etc/nsswitch.conf in a default install of OMV6, whereas it’s present in a default install of debian 11 and also appears in the nsswitch config of my kubuntu install. I wonder if that might relate to any glitches you’ve seen, or perhaps there's a specific reason it's not present in OMV6.

OMV 6.X (RC1) Active Directory

Participate now!

Similar Threads

ad/ldap plugin for OMV 6.x

Easy Active Directory integration of OMV 5 with PBIS Open

Connectivity issues with Windows 2016 server connecting to OMV on ESXi

OMV6 connect to windows 2012 Active Directory

Windows Server 2016 not prompting for OMV credentials

Tags