OMV 6.X (RC1) Active Directory

Ty, I am so blind

It does not work. I made some misconfiguration and can't figure out what it was, so I'm starting new . AD is the 2022 win server.

I will keep you informed

Zitat von donh

Update:

This seems to be working fine and surviving updates. There is some info about ftp and ssh in the 8th post. Thanks to WiiFriik for that. Please read the whole thread before trying this. There are a few recommendations for other servers.

Feedback welcome.

If anybody can write a plugin that would be welcome.

This is early so try at your own risk. It works with my 2012r2 server. That is all I have to test against. Hopefully it work with other AD servers. No idea if this will work on other than x86 hardware or vm. See post 14 below for samba ad controller. Thanks.

The goal is to only use debian packages and do as little manipulation as possible. I wanted to do it with sssd only and not include winbind but could not get it to work. Adding winbind later seems to be necessary or realm will use winbind and I was not able to get it working that way.

This is my notes and I hope the format is readable. I use ssh as root to enter the commands. I think the order is important but some of the apt commands can probably be combined.

#######

Domain = example.com

There are two domain controllers = dc1,dc2 both are also dns

#######

Clean install of 6.0-34 iso

Might work for existing install but not tested

Be sure to set domain name

root@omvad3:~# apt update

root@omvad3:~# apt dist-upgrade

Could be done in web ui. Not tested

reboot to run new kernel

In web ui apply the changes

Be sure these are correct

If you use dhcp it may be ok but check these!

Set ntp to domain time server and time zone

If more than one use coma separator and no spaces

Set network to static and domain dns servers

root@omvad3:~# apt install realmd policykit-1

Will install some dependencies too

root@omvad3:~# realm discover example.com

Should give details including "client-software: sssd"

root@omvad3:~# apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit-tools

Will install some deoendancies too

root@omvad3:~# realm join example.com -U donadmin

root@omvad3:~# systemctl status sssd

Should report "Active: active (running)"

root@omvad3:~# apt install libsss-simpleifp0 libsss-sudo

root@omvad3:~# sssctl domain-list

Should show your domain

root@omvad3:~# id donadmin@example.com

Should show info about user

root@omvad3:~# sssctl domain-status example.com

Should show info about domain

Online status: Online

Active servers:

AD Global Catalog: dc1.example.com

AD Domain Controller: dc1.example.com

Discovered AD Global Catalog servers:

- dc1.example.com

- dc2.example.com

Discovered AD Domain Controller servers:

- dc1.example.com

- dc2.example.com

In the web ui setup SMB/CIFS

Set workgroup in capital letters

Home directories not tested but might work

Can be added later

In extra options set this

security = ads

kerberos method = secrets and keytab

realm = EXAMPLE.COM

winbind enum users = yes

winbind enum groups = yes

# Default ID mapping configuration using the rid

# idmap backend. This will work out of the box for simple setups

# as well as complex setups with trusted domains.

idmap config * : backend = tdb

idmap config * : range = 3000-7999

idmap config EXAMPLE : backend = rid

idmap config EXAMPLE : range = 10000-9999999

winbind use default domain = yes

root@omvad3:~# apt install winbind libsss-sudo libnss-winbind libpam-winbind libwbclient0

root@omvad3:~# cp /etc/nsswitch.conf /etc/nsswitch.conf.bak

root@omvad3:~# nano /etc/nsswitch.conf

Change these two lines

passwd: files sss

group: files sss

to

passwd: files winbind

group: files winbind

root@omvad3:~# "net rpc join -U donadmin" or "net ads join -U donadmin"

root@omvad3:~# reboot #May not be needed

####

Users and Groups from the domain should show in the web ui now

Create a share and you should be able to add acl as needed

Suggestions and other input welcome.

Good luck

Thanks

forum.openmediavault.org/wsc/index.php?attachment/23679/

FYI

System Information
Hostname
omvad3.jhcopiers.com

Version
6.0.15-1 (Shaitan)

Processor
AMD Opteron(tm) Processor 6366 HE

Kernel
Linux 5.15.0-0.bpo.3-amd64

System time
3/4/2022, 11:51:48 AM

Uptime
an hour

Alles anzeigen

Hi Dohn, you help me a lot, ty!

I have everything done, but I can't change permissions from Windows...

I'm having problems when I'm trying to change permissions from Windows Domain Controler and I don't know why...

When I created the shared folder I own to my ADADMIN and ADAdminGroup with all permissions, and all permissions to for other users, but when I'm trying to add new group or change permissions in my Windows computer with de owner user (adadmin) i can't, it says "Access Denied"... Have you any issue with it?

Zitat von donh

Are you trying to change the permissions using windows? It used to work there. I don.t have much experience with things newer than win 7 or server 2012 r2. I have retired and use linux these days.

Yes, I allways use windows for set permissions in shared folders, but I'm new with open media vault and it seems to doesn't work like other tools. I'll investigate, thanks!

Zitat von donh

What versions are you using?

I am using OpenMediaVault 6.1.0-0 and as Windows AD a Windows Server 2019.

I think I've figured out the problem as to why it wouldn't let me change permissions from Windows... in the SMB/CIFS shared settings I had "Guests only" selected, and changing to "Guests allowed" seems to let me edit permissions fine from Windows. I put this in case it helps anyone!

Hi there,

I am currently trying to integrate my OpenMediaVault into a Linux domain based on FreeIPA. It looks like I have to use ipasam as passdb backend instead of ldapsam. In CentOS it is probably sufficient to place the file ipasam.so in the same directory as ldapsam.so. However, I can't find ldapsam.so anywhere on my OpenMediaVault server. When I put the file where I think I should put it, I still get the response "No builtin nor plugin backend for ipasam found" when I test with "pdbedit -L -b ipasam". "pdbedit -L -b tdbsam" works as it should. Does anyone here know where I can store a passdb plugin file (*.so) in omv so that samba can find and use it?

If I then manage to integrate my omv into my domain, I will be happy to post the complete procedure here in the thread. Even if it is not directly about Active Directory.

Thanks for the quick reply.

When I try "apt install freeipa --dry-run" this is what I get (translated from German):

root@greenvault-data:~# apt install freeipa --dry-run
Package lists are read... Done
Dependency tree is built... Done
Status information is read in... Done
Package freeipa is not available, but is referenced by another package
referenced by another package. This may mean that the package is missing, that it has been replaced
or is only available from another source.

E: There is no installation candidate for package "freeipa".

"apt-cache search freeipa" shows me similar results to yours:

root@greenvault-data:~# apt-cache search freeipa
libipa-hbac0 - Bibliothek zur FreeIPA-HBAC-Evaluierung
libnss-sss - Nss-Modul für den SSS-Daemon (System Security Services)
libpam-sss - PAM-Modul für den SSS-Daemon (System Security Services)
python3-sss - Python3-Modul für den System Security Services Daemon
sssd - SSS-Daemon (System Security Services) - Metapaket
sssd-common - SSS-Daemon (System Security Services) - gemeinsame Dateien
cockpit-ws - Cockpit Web Service
freeipa-healthcheck - Health check tool for FreeIPA
python3-ipahealthcheck-core - Health check tool for FreeIPA -- core files
puppet-module-joshuabaird-ipaclient - Puppet module for Joshuabaird IPAclient
libipa-hbac-dev - FreeIPA HBAC Evaluator library -- development files
python3-libipa-hbac - Python3 bindings for the FreeIPA HBAC Evaluator library
sssd-tools - System Security Services Daemon -- tools
freeipa-client - FreeIPA centralized identity framework -- client
freeipa-client-epn - FreeIPA centralized identity framework -- tools for configuring Expiring Password Notification
freeipa-client-samba - FreeIPA centralized identity framework -- Samba client
freeipa-common - FreeIPA centralized identity framework -- common files
python3-ipaclient - FreeIPA centralized identity framework -- Python3 modules for ipaclient
python3-ipalib - FreeIPA centralized identity framework -- shared Python3 modules

Am I missing any repositories?

What I found out is that ipasam.so is included in the package freeipa-server-trust-ad (https://manpages.debian.org/ex…adtrust-install.1.en.html), but it seems to be only available in experimental. Actually, I only need this small passdb backend plugin and would like to avoid installing dozens of packages + dependencies for it, which I don't need at all. The package "freeipa-client-samba" (bullseye-backports), which I want to use to set up the Samba server, does not contain the ipasam.so either.

Some more information that I didn't mention in my first post: The freeipa-client is already installed on my omv (via bullseye-backports) and connected and I can already login to SSH with my domain users. I just need to get Samba to get its users from FreeIPA. I have already extracted the ipasam.so file from my domain controller, which needs the above package to provide user sids and NT password hashes, and just need to put it in the right place on my omv samba server. I just need to know where it is. I should then be able to set up my omv Samba roughly according to these instructions: https://superuser.com/question…ents-accessing-cifs-share

Do you mean the values UID_MAX and GID_MAX? They only control up to which value new users with useradd or similar assign numbers. Wouldn't that provoke conflicts if I moved these values into the range of my domain? Or have I misunderstood something?

But that's right. With id, for example, I can already display my domain users on omv:

root@greenvault-data:~# id kristian
uid=1750400007(kristian) gid=1750400007(kristian) Gruppen=1750400007(kristian),1750400006(emby_user),1750400012(users)

Local user:

root@greenvault-data:~# id Kristian_Local
uid=1000(Kristian_Local) gid=100(users) Gruppen=100(users),1000(DieGruenen)

I thought it couldn't be that hard to get Samba to use this user base but I don't see it in the GUI and logging in with domain users on the Samba share doesn't work either in any case. I also can't make domain users the owner of files via chown or assign access rights with chmod.

I have set UID_MAX and GID_MAX in the login.defs to 1750600000 (Posix ID range in FreeIPA: 1750400000 to 1750600000). Unfortunately, I do not yet see my domain users in the Web GUI. I cannot tab (auto complete) the users with chown or chmod either. However, I can assign file permissions to domain users on the command line if I enter the full user name manually.

I have now managed to display my domain users in the interface. To do this, I had to add this line to /etc/sssd/sssd.conf in addition to the change you suggested to UID_MAX and GID_MAX in /etc/login.defs:

[domain/my.domain] ## Should already be there after ipa-client-install command
enumerate = true

Then empty the ssssd cache once and the users were there. The information about this came from an older post here in the forum: OMV / FreeIPA Integration

However, I still haven't managed to get them to log on to SMB. I am still grateful for any tips.

For the WebUI, it is sufficient to add the domain user to the local group openmediavault-admin. It's a pity that I can't add another group to that group that I can then manage from my DC. But I'm sure there are other ways to achive that if I dig a little deeper..

What I actually meant was that if I try to access from my Windows client via unc path (\\server.my.domain\) and try to log in there, the login data of the local users work but not those of the domain users. I immediately get the message incorrect password or user name, when I try it with a domain user.