Computing is a sort of retirement hobby for me, I was looking for things I might do over winter. I've been through the exercise of setting up FreeIPA in the past and an Ubuntu based AD-DC but that was only for use on a home network, I have no experience of using this in a pro environment. My old brain is in the slow lane these days, so I'm not sure if I'll to concentrate on this or put some energy into other things. TBH, I hadn't even revised the man page on nsswitch, but the absence of systemd might be NB.
donh Here's something you might find interesting. I spent a couple of hours this morning reviewing recent past forum posts on this topic where configs have used SSSD alone, winbind alone and even pbis. This post on the samba mailing list seems to describe the config you arrived at which uses SSSD but also requires winbind and seems to explain why.
The question was asked in 2020 by someone running Debian Buster 10.5 and Samba 2:4.9.5+dfsg-5+deb10u1.
"Re: Using SSSD + AD with Samba seems to require Winbind be running" https://www.spinics.net/lists/samba/msg165318.html
If I've understood this correctly the key phrase here is "If you are running a Samba server as a member of a domain, you need to start winbind ....", which of course applies to OMV6, assuming debian 11 + samba 4.13 doesn't invalidate it.
I've decided not to pursue this as it's of little practical value to me as a home user who makes as little use of Windows as possible. I also wonder how centrally administered user/groups fit with the OMv6 design where all local user accounts are given a primary group of users (gid 100) and setguid is used on all "shared folders" created via the Webui.
Anyway, if you hadn't seen it, I hope that ref is of interest to you.
Hello folks,
I'm very new to OMV and I just installed OMV6. I was looking for a guide to integrate it with AD when I found this thread. I haven't read through all of it, but I'm intrigued to try it out. I have to run out for a minute but when I get back I will try to follow your instructions to see if I can integrate with a Windows Server 2022 AD environment (two DCs using LDAPS).
Will report my progress accordingly, thanks.
Quick update:
My Environment:
I followed the directions in the first post, plus the updates made later on, and I'm happy to report that on my first try all seems to be working. I did not run into any errors other than what you already pointed out during the installation of SSSD (where the configuration file isn't present yet so there are some "file not found" errors).
The only thing I did differently was with the edit of the /etc/nsswitch.conf file. I simply added winbind after files, since I saw that systemd and sss were present. I saw in another thread where there was a discussion on this and there seemed to be a consensus that at least systemd needed to be present in this file. I'm not really sure what the consequences will be, but I guess we'll find out with time.
Also, I haven't had a need to use the Fix-ad.sh script so I'm hoping I wouldn't.
One thing I did notice that, from the Web UI, I was not able to simply edit the ACLs on existing Shared Folders. I had to delete and recreate, and also the associated SMB/CIFS shares.
PS. One thing I'm a bit confused on is OMV's distinction between "Privileges" and "ACLs". Perhaps off topic, but if someone could explain I'd really appreciate it.
You're welcome donh.
Your advice is duly noted and I do plan on testing and documenting my journey with OMV. This was a very quick proof-of-concept, but I intend on building a rackmount server with several terabytes of storage capacity later, so it will give me a chance to redo the installation and document every step.
Hi
I installed OMV 6.1 a few days ago and just successfully joined it to my Windows Server 2022 (homelab) following the instructions.
Thanks and best regards
I managed to get this working with Windows Server 2019 Standard as AD server, but we have thousands of users and groups. A simple workaround that seems to be working is to disable enumeration of users and groups
in the extra settings for smb:
winbind enum users = no
winbind enum groups = noThen you can add only the the users or groups that you need by adding them manually to the /etc/passwd or /etc/group files.
To determine the text that needs to be added just use
#for users:
getent passwd username@domain.com
#for groups
getent group "some group"
Or you can add the result to the file with the line:
getent passwd username@domain.com >> /etc/passwd
getent group "some group" >> /etc/groupI do have a problem that must have happened during all of my testing/configuring where all of the users and groups are displayed twice in the web ui for some reason. I can't seem to find anyone else with the issue if anyone can tell me where to look for a solution/cause.
Welcome to the forums and thanks for testing.
I have only had less than 40 users so not thousands. Having to enter users and groups kind of defeats the reason for using AD. There are many options in /etc/sssd/sssd.conf .
sssd.conf(5) — sssd-common — Debian bullseye — Debian Manpages
Some can be used to limit the users and groups that show up like this. It is from my omv5 implementation so check the newer version. Formatting may suck.
# If unneeded users or other objects show.
# Use "dsquery user -name" test to see on windows with powershell
#ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com
# ldap_user_search_base = CN=Users,DC=example,DC=com
Here is an older article that may be useful.
There are also some caching options if lookups are slow.
Good luck.
Thanks for the description!
Worked for me today in my small Homelab with Microsoft Windows Server 2012 R2.
Dear donh,
Have followed your instructions to the letter and it worked: currently setup is 6.3.0-2 (Shaitan) and wintel server is Windows Server 2019.
had to reboot after joining the OMV to domain with "sudo net adm join -U adminuseraccount"
Thank you very much
Alles anzeigenWell I only see one person who has tried this so maybe nobody cares. It worked for him.
It has been working well but it does not get much use so it is nice to see it works for a few hundred users.
It would be nice to hear if it works with other os's. Or how others are doing it.
Anyway one more little tweak to clean the logs up. Add this to the smb extra options.
server services = +winbind
Hello!
How are you?
I have Rocky Linux 8.7 as samba ad-dc working well
After follow your steps I can join the omv to AD-DC ok!
but my winbind not working in OMV
The problem is: How to do samba member-fileserver (OMV6) shows the users, groups from AD-DC
or, to this works nice, I need follow official doc samba-ad-member and do the commands permissions of disc and more? (SetDisKOeperator....)
Or what is the right way Please?
Thanks
Alles anzeigenIn extra options set this
security = adskerberos method = secrets and keytab
realm = EXAMPLE.COM
winbind enum users = yes
winbind enum groups = yes
# Default ID mapping configuration using the rid
# idmap backend. This will work out of the box for simple setups
# as well as complex setups with trusted domains.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-9999999
winbind use default domain = yes
Hi Donh. Thaky you for this tut. I am using 6.3.10-2 (Shaitan), and can't find this part in my web ui
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!
