OMV 6.X (RC1) Active Directory

  • I can see all the users (domain and local) with getent passwd


    But the login from the cli of another linux server works only with local users:


    Incidentally, my Windows client is not a domain member. Because devices that cannot be a domain member should also have access (my work computer for example), access must also work via user name and password. I will dig a little deeper and maybe ask in a FreeIPA forum. SMB and FreeIPA seems to be a special thing anyway. If I find out anything, I'll post here again.

  • realm discover shows bash: realm: command not found.. realmd is not installed.


    On my domain controller I see this:

    Code
    [root@greenvault-domain mars]# realm discover
    green.local
    type: kerberos
    realm-name: GREEN.LOCAL
    domain-name: green.local
    configured: no
  • I've got it! I can now log on to all services of the OMV machine with my domain users. The bad thing is that I thought I had already tested the method with which it now works without success. So what the heck. In the end it wasn't thaaat complicated. Here is a short guide in case there is anyone else who wants to integrate their OMV into a FreeIPA domain:


    1. Add the OMV host to the IPA domain (q1):
      1. It must be ensured that the domain name of the IPA server can be resolved. If there are problems with this, it is best to add the IPA server itself as the first DNS server in the WebUI under "Network -> Interfaces".
      2. On Debian 11 the IPA client is only available in the backports repository (on Debian 12 [OMV7] backports are not required): Add the line deb http://deb.debian.org/debian/ bullseye-backports main to /etc/apt/sources.list and run apt update
      3. Install IPA Client: apt install -t bullseye-backports freeipa-client
      4. Execute IPA Domain Join: ipa-client-install --hostname=omv-server.your.domain --mkhomedir --server=ipa-server.your.domain --domain your.domain --realm YOUR.DOMAIN
      5. Open /etc/login.defs an set UID_MAX and GID_MAXto the maximum ID of your main ID range. You can display the ID range with ipa idrange-find (First Posix ID + Number of IDs)
      6. Add enumerate = true to /etc/sssd/sssd.conf in section [domain/your.domain]
      7. If a domain user should log in to the web interface, they must be added to the local group openmediavault-admin. This gives the domain user extensive rights on the server.
      8. If everything went well, the domain users should now be displayed via id user. They should also be listed in the WebUI. Log on at the command line should also work if it is allowed on the IPA server.
    2. At least one IPA server must be configured as a trust controller (even without a connected Windows domain). We are now switching to the IPA server, which I have running on CentOS (q2):
      1. Install trust package: yum install ipa-server-trust-ad
      2. Run trust install: ipa-adtrust-install --add-sids
      3. Open required firewall ports: firewall-cmd --add-service=freeipa-trust --permanent -> firewall-cmd --reload
      4. The corresponding users may have to reset their password in order to generate the NT password hash.
      5. The IPA server is now ready to act as a Samba domain controller.
    3. The last step is to set up the Samba server on OMV for the domain (q3):
      1. Again, the installation under Debian 11 must be done from the backports: apt install -t bullseye-backports freeipa-client-samba
      2. By default during installation, the client refers to the nobody system group and runs on error if this does not exist. Add the group with: groupadd -g 65535 nobody
      3. The following command asks for confirmation once and should then run automatically: ipa-client-samba
      4. ipa-client-samba overwrites the smb.conf. To keep the settings persistent in OMV, the following steps must be carried out:
        1. Copy the complete content of smb.conf (without the homes part and workgroup) and paste it in the WebUI under Services -> SMB/CIFS -> Settings at the bottom under Extra options BEFORE saving any other changes.
        2. Check the "Enable NetBIOS" box.
        3. Set Workgroup to the short domain name (YOUR).


    The SMB/CIFS Extra options should look like this:


    The domain users (user@your.domain) should now be able to log on to the server and access the shares with the appropriate authorization settings.


    That was my way to fully integrate my OMV into my IPA domain. I hope I haven't forgotten anything in the reconstruction of my steps. If the post does not belong here, because this has nothing to do with a Microsoft Active Directory, please let me know or move the post. Many thanks to donh for the help and for creating this thread :)


    q1: https://linux.die.net/man/1/ipa-client-install

    q2: https://linux.die.net/man/1/ipa-adtrust-install

    q3: https://freeipa.readthedocs.io…/samba-domain-member.html

    • Official Post

    ipa-client-samba overwrites the smb.conf. To keep the settings persistent in OMV, the following steps must be carried out:

    Copy the complete content of smb.conf (without the homes part and workgroup) and paste it in the WebUI under Services -> SMB/CIFS -> Settings at the bottom under Extra options BEFORE saving any other changes.
    Check the "Enable NetBIOS" box.
    Set Workgroup to the short domain name (YOUR).

    Another option for saving settings that wont be over written.

  • Hi- just making a mention here that I recently started having issues with GUI + getent and not showing my AD groups/users even though wbinfo -g was working, and so I needed to add this to my sssd.conf to get them to appear:


    enumerate = True


    Previously, I had this set to False because I was getting duplicate user/group entries (similar to this post)- I assume due to winbind + sssd both enumerating? But now it looks like I need it enabled and I am not seeing any duplicates. I haven't done any apt updates in a while so I am not sure what changed but yeah donh if you have any thoughts LMK.

  • I, too, would like to be rid of winbindd and instead only use sssd, but also found that I needed it for the realm join.


    Hopefully on OM7/Deb12 this will no longer be necessary.. In general, I see a lot of noise in winbindd logs and its a very chatty protocol, and I see a lot of NT_STATUS_LOGON_FAILURE errors which are maybe related to my above issue.


    Maybe after joining the domain via realm it is safe to disable/remove winbind? Has anybody has experimented with this? I'll try to do some more testing when I get some time.

    • Official Post

    Hi- just making a mention here that I recently started having issues with GUI + getent and not showing my AD groups/users even though wbinfo -g was working, and so I needed to add this to my sssd.conf to get them to appear:


    enumerate = True


    Previously, I had this set to False because I was getting duplicate user/group entries (similar to this post)- I assume due to winbind + sssd both enumerating? But now it looks like I need it enabled and I am not seeing any duplicates. I haven't done any apt updates in a while so I am not sure what changed but yeah donh if you have any thoughts LMK.

    Could it be not showing due to the userid "uid" not be in the /etc/login.defs range?

  • Hi,
    Thank you for the TUTO!

    Also thank's to everyone who contributed to this Thread, it helped me greatly to understand what I had to do. I can see the users and groups of my example.int domain in omv web-ui and also using getent.
    My Testing Setup:
    Server: Proxmox VE
    VM with Windows Server 2022 as AD DC.
    VM with OMV 7.4.7-1, Kernel: Linux 6.8.12-1-pve

    This is the order I came up with going through the Thread and reading documentation.

    *SSH as root to the OMV machine

    -apt update

    -apt dist-upgrade

    -reboot

    *In OMV Web-UI.

    - System > Date & Time > Use NTP Server checked

    - System > Date & Time > Time Servers: dc1.example.int (domain time server, setup on Windows Server 2022 VM)

    - System > Date & Time > Time zone: Canada/Eastern (same as domain time server)


    *SSH as root to the OMV machine again

    -apt install realmd policykit-1

    -realm discover example.int (test if domain can be reach)

    -apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit-tools

    -before joining the realm (domain), micro /etc/krb5.conf 



    -realm join example.int -U donadmin (join the domain, sssd.conf auto-generated)

    -systemctl status sssd (Should report "Active: active (running)")

    -apt install libsss-simpleifp0 libsss-sudo

    -sssctl domain-list (Should show your domain)

    -id donadmin@example.com (Should show info about user)

    -sssctl domain-status example.int *QUESTION 1: why my dc is not showing as AD Global Catalog?*



    *In the OMV Web-UI.

    -Before integrating Samba with the domain go to Services > SMB/CIFS > Settings > Extra options and add smb.conf [global] parameters.



    -apt install winbind libsss-sudo libnss-winbind libpam-winbind libwbclient0-micro /etc/nsswitch.conf (removed sss and added winbind besides systemd from on passwd and group lines)



    -net ads join -U administrator (sssd.conf could be modified)



    -micro /etc/sssd/sssd.conf *QUESTION 2 and 3*



    -net join -U administrator (don't ask me why, but after doing the sssd.conf file, I do this command again)


    -reboot


    Though I have some questions about some behaviors I noticed.
    QUESTION 1: Why my dc is not showing as AD Global Catalog?

    QUESTION 2: Should I use both tags: joined-with-samba, joined-with-adcli or only one, or use the realmd_tags parameter at all in sssd.conf?


    QUESTION 3: ad_gcid_domain = example.int Still, even with this option, my dc1.example.int is not seen as AD Global Catalog when I use the sssctl domain-status example.int command. Why?

    Edited 11 times, last by ZJohnAsZ: corrected the spoilers config texts ().

  • QUESTION 4 Regarding SAMBA behaviors when controlling access to shares with SAMBA.

    =I have 2 domain groups: files-admins (rwx), files-users (rx)


    =I have a share called apps$.


    I did not touch the Permissions section for the shared folder but only the ACL one.


    Since I want to keep some local control when I am connecting with a sudo user or root with ssh, or also when connecting to the web-ui with admin capable users, I think I should set owner:root (rwx). Then I set the group:files-admins (rwx) which is a domain group. Because I plan on giving access guest access (requiring no password), I set others (rx).


    Linux Basic Permissions

    owner:root (rwx)

    group:files-admins (rwx)

    others (rx)


    ACL

    group:files-users(rx)


    I thought that by controlling the permissions like this I could achieve what I wanted without having to rely on samba parameters like valid users, write list, read list, but it's like samba only sees the basic permissions I set and not the ACL at all.


    What I mean is that if I use valid users: files-users it gives RWX to files-users group and then I have to limit it using read list. If I don't use valid users at all, then files-users group ACL setup is not seen at all. Only the other:rx is considered to give access. Why?


    I came up with this to achieve what I wanted, but I think there is probably something I am missing in the way to setup samba parameters to have it rely on Linux Basic Permissions + ACL without having to rely on samba access control. Is there?


  • My Testing Setup:
    Server: Proxmox VE
    VM with Windows Server 2022 as AD DC.
    VM with OMV 7.4.7-1, Kernel: Linux 6.8.12-1-pve

    I did use the Web-UI to set the Linux Basic Permissions and ACLs. I used the ACL button when you select a Shared Folder like in the image I provided in my second post.
    I have a question regarding this parameter:
    winbind use default domain = Yes

    I wanted to set it to NO because it would've made more sense for me to have users and groups from the domain to show as EXAMPLE\username and EXAMPLE\groupname. The Web-UI though bugs, when I do that because the commands that are generated don't take into account that there should be "\\" instead of only "\" to not escape the character. What would be the easiest way to fix this issue without altering too much to not have problems later on updating OMV and having to redo the fix?

    • Official Post

    I have a question regarding this parameter:
    winbind use default domain = Yes

    I read a lot of posts elsewhere and this seemed ok to me. There was a lot of trial and error attempts. My goal was to get ride of winbind altogether. At the time I could not find a way.


    There are a couple of other threads using OMV 7. I always wanted to write a plugin for this. Even being retired I never seem to have the time. The wife always find more important thing for me to do.


    If you have found a bug you should report it.


    Good luck.

  • donh

    Ok, thank you. I will try to find infos on other threads. Yours came first when I was searching the web. I found it was the most detailed when based on omv. I joined other debian/ubuntu machines to domains, but never with the omv on top of debian. I could probably modify the omv script which generates the command or whatever does, but after if I update it would probably reset those modifications. It really is just about the command taking the username/groupname literally instead of adding another one "\".

  • donh,
    Would it be better if I create a new thread with my posts combined and also referring this thread to have more chances of someone seeing it regarding my couple of questions? By the way, I totally understand you not having much time, it is ok, it is already nice that you took the time to share your procedure with OMV6.

    • Official Post

    Here is the link to my omv7 thread. There are a few other too.

    I will add it to the first post. If other posts should be included just ask and I will add them.


    I changed winbind use default domain = Yes to no and it still works with the above linked omv7 updated as of today. Only marginal testing tho. I am still using omv6 till I have time to move to 7.


    No need to start a new thread unless you think it will get more views.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!