OMV 6.X (RC1) Active Directory

I can see all the users (domain and local) with getent passwd

But the login from the cli of another linux server works only with local users:

Incidentally, my Windows client is not a domain member. Because devices that cannot be a domain member should also have access (my work computer for example), access must also work via user name and password. I will dig a little deeper and maybe ask in a FreeIPA forum. SMB and FreeIPA seems to be a special thing anyway. If I find out anything, I'll post here again.

realm discover shows bash: realm: command not found.. realmd is not installed.

On my domain controller I see this:

[root@greenvault-domain mars]# realm discover
green.local
type: kerberos
realm-name: GREEN.LOCAL
domain-name: green.local
configured: no

I've got it! I can now log on to all services of the OMV machine with my domain users. The bad thing is that I thought I had already tested the method with which it now works without success. So what the heck. In the end it wasn't thaaat complicated. Here is a short guide in case there is anyone else who wants to integrate their OMV into a FreeIPA domain:

1. Add the OMV host to the IPA domain (q1):
   1. It must be ensured that the domain name of the IPA server can be resolved. If there are problems with this, it is best to add the IPA server itself as the first DNS server in the WebUI under "Network -> Interfaces".
   2. On Debian 11 the IPA client is only available in the backports repository (on Debian 12 [OMV7] backports are not required): Add the line deb http://deb.debian.org/debian/ bullseye-backports main to /etc/apt/sources.list and run apt update
   3. Install IPA Client: apt install -t bullseye-backports freeipa-client
   4. Execute IPA Domain Join: ipa-client-install --hostname=omv-server.your.domain --mkhomedir --server=ipa-server.your.domain --domain your.domain --realm YOUR.DOMAIN
   5. Open /etc/login.defs an set UID_MAX and GID_MAXto the maximum ID of your main ID range. You can display the ID range with ipa idrange-find (First Posix ID + Number of IDs)
   6. Add enumerate = true to /etc/sssd/sssd.conf in section [domain/your.domain]
   7. If a domain user should log in to the web interface, they must be added to the local group openmediavault-admin. This gives the domain user extensive rights on the server.
   8. If everything went well, the domain users should now be displayed via id user. They should also be listed in the WebUI. Log on at the command line should also work if it is allowed on the IPA server.
2. At least one IPA server must be configured as a trust controller (even without a connected Windows domain). We are now switching to the IPA server, which I have running on CentOS (q2):
   1. Install trust package: yum install ipa-server-trust-ad
   2. Run trust install: ipa-adtrust-install --add-sids
   3. Open required firewall ports: firewall-cmd --add-service=freeipa-trust --permanent -> firewall-cmd --reload
   4. The corresponding users may have to reset their password in order to generate the NT password hash.
   5. The IPA server is now ready to act as a Samba domain controller.
3. The last step is to set up the Samba server on OMV for the domain (q3):
   
   1. Again, the installation under Debian 11 must be done from the backports: apt install -t bullseye-backports freeipa-client-samba
   2. By default during installation, the client refers to the nobody system group and runs on error if this does not exist. Add the group with: groupadd -g 65535 nobody
   3. The following command asks for confirmation once and should then run automatically: ipa-client-samba
   4. ipa-client-samba overwrites the smb.conf. To keep the settings persistent in OMV, the following steps must be carried out:
      
      1. Copy the complete content of smb.conf (without the homes part and workgroup) and paste it in the WebUI under Services -> SMB/CIFS -> Settings at the bottom under Extra options BEFORE saving any other changes.
      2. Check the "Enable NetBIOS" box.
      3. Set Workgroup to the short domain name (YOUR).

The SMB/CIFS Extra options should look like this:

# Limit number of forked processes to avoid SMBLoris attack
max smbd processes = 1000
# Use dedicated Samba keytab. The key there must be synchronized
# with Samba tdb databases or nothing will work
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
# Set up logging per machine and Samba process
log file = /var/log/samba/log.%m
log level = 1
# We force 'member server' role to allow winbind automatically
# discover what is supported by the domain controller side
server role = member server
realm = YOUR.DOMAIN
netbios name = OMV-SERVER
#workgroup = YOUR
# Local writable range for IDs not coming from IPA or trusted domains
idmap config * : range = 0 - 0
idmap config * : backend = tdb

idmap config YOUR : range = [id range min] - [id range max]
idmap config YOUR : backend = sss

The domain users (user@your.domain) should now be able to log on to the server and access the shares with the appropriate authorization settings.

That was my way to fully integrate my OMV into my IPA domain. I hope I haven't forgotten anything in the reconstruction of my steps. If the post does not belong here, because this has nothing to do with a Microsoft Active Directory, please let me know or move the post. Many thanks to donh for the help and for creating this thread

q1: https://linux.die.net/man/1/ipa-client-install

q2: https://linux.die.net/man/1/ipa-adtrust-install

q3: https://freeipa.readthedocs.io…/samba-domain-member.html

Hi- just making a mention here that I recently started having issues with GUI + getent and not showing my AD groups/users even though wbinfo -g was working, and so I needed to add this to my sssd.conf to get them to appear:

enumerate = True

Previously, I had this set to False because I was getting duplicate user/group entries (similar to this post)- I assume due to winbind + sssd both enumerating? But now it looks like I need it enabled and I am not seeing any duplicates. I haven't done any apt updates in a while so I am not sure what changed but yeah donh if you have any thoughts LMK.

I, too, would like to be rid of winbindd and instead only use sssd, but also found that I needed it for the realm join.

Hopefully on OM7/Deb12 this will no longer be necessary.. In general, I see a lot of noise in winbindd logs and its a very chatty protocol, and I see a lot of NT_STATUS_LOGON_FAILURE errors which are maybe related to my above issue.

Maybe after joining the domain via realm it is safe to disable/remove winbind? Has anybody has experimented with this? I'll try to do some more testing when I get some time.