OMV7 beta +Active Directory

donh · 12. Dezember 2023

This is beta. Use at your risk. I did it in a proxmox 8 vm. I take snapshots after a few steps so if it doesn't work I can rollback.

This is basicly the same as the this post.

Thema

OMV 6.X (RC1) Active Directory

Update:
This seems to be working fine and surviving updates. There is some info about ftp and ssh in the 8th post. Thanks to WiiFriik for that. Please read the whole thread before trying this. There are a few recommendations for other servers.
For freeipa AD see RE: OMV 6.X (RC1) Active Directory . Thanks MacroMars

Feedback welcome.
If anybody can write a plugin that would be welcome.

This is early so try at your own risk. It works with my 2012r2 server. That is all I have to test against. Hopefully…

donh

4. März 2022

More detail there for other AD etc.

Install debian 12 as minimal as possible. Be sure to put in your domain.

If network is not working use "omv-firstaid" to fix.

Allow ssh

update to current

Install OMV.

Beitrag

Install OMV7 on Debian 12 (Bookworm)

To install OMV7 on an already installed Debian 12 (Bookworm), simply execute the following steps as root user:
(Quelltext, 11 Zeilen)

(Quelltext, 14 Zeilen)

votdev

9. November 2023

apt install dnsutils mmdb-bin mlocate

Make sure dns resolves your AD server forward and reverse. Same for AD to OMV.

Don't use /etc/hosts because it will cause problems down the road. OMV controles it!

Optional: Install certificate for web server.

This is mostly from: OMV 6.X (RC1) Active Directory

With help from the community

In web ui apply the changes after most modifications.

Be sure these are correct

If you use dhcp it may be ok but check these!

Set ntp to domain time server and time zone

realm join example.com -U donadmin

If more than one use coma separator and no spaces

Set network to static and domain dns servers

Some apt installs will install some dependencies too.

apt install realmd policykit-1

realm discover example.com

Should give details including "client-software: sssd"

apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit-tools cracklib-runtime appstream ldap-utils sssd-dbus apt-config-icons gstreamer1.0-tools libsss-sudo gstreamer1.0-plugins-base libsss-simpleifp0

realm join example.com -U donadmin

ssctl domain-list

In samba settings extra options set this

Code

security = ads

kerberos method = secrets and keytab

realm = EXAMPLE.COM

winbind enum users = yes

winbind enum groups = yes



# Default ID mapping configuration using the rid

# idmap backend. This will work out of the box for simple setups

# as well as complex setups with trusted domains.

idmap config * : backend = tdb

idmap config * : range = 3000-7999

idmap config EXAMPLE : backend = rid

idmap config EXAMPLE : range = 10000-9999999

winbind use default domain = yes

server services = +winbind

winbind refresh tickets = Yes



### Questionable

#disable netbios = yes

domain master = no

local master = no

# client min protocol = SMB2

Alles anzeigen

apt install winbind libsss-sudo libnss-winbind libpam-winbind libwbclient0

cp /etc/nsswitch.conf /etc/nsswitch.conf.bak

nano /etc/nsswith.conf and set these lines like this.

Code

passwd: files winbind systemd sss

group: files winbind systemd sss

shadow: files systemd sss

gshadow: files systemd

reboot

Setup share and test.

Feedback welcome.

Thanks

donh · 12. Dezember 2023

I will test an upgrade on a working OMV6 when I get a chance.

yew2362 · 3. März 2024

Okay, so this might be a coincidence but the day I check, it is also the day OMV7 is released but I feel like method isn't the best, as samba's documentation (https://wiki.samba.org/index.p…_Samba_as_a_Domain_Member)

uses net ads like ur omv6 guide, which I was not able to make it work. But I'll give an update if I have found anything else better, as i'm testing omv7 on my rpi4

donh · 4. März 2024

Thanks for trying this. Be aware that some changes may be overwritten by updates. smb.conf is one example. If you make changes be sure to do it in the extra options section in the web ui.

The page you linked looks very helpful. It is over a year old but should still be good.

What AD are you connecting to.

yew2362 · 4. März 2024

My AD is not a Windows Server like yours, since I am broke and can't afford a x64 server or mini pc. So I'm stuck on a arm64 single board computer... So I have proxmox for Raspberry Pi (PiMox) with a debian 12.5.0 installation and I followed a guide about setting up samba as a Domain Controller if you also want to try make the same thing I have did the following guide since Samba is a big wordy for my brain to understand. (This is not a advertisement but to show how my servers work,

Externer Inhalt www.youtube.com

Inhalte von externen Seiten werden ohne Ihre Zustimmung nicht automatisch geladen und angezeigt.

Durch die Aktivierung der externen Inhalte erklären Sie sich damit einverstanden, dass personenbezogene Daten an Drittplattformen übermittelt werden. Mehr Informationen dazu haben wir in unserer Datenschutzerklärung zur Verfügung gestellt.

). But if you have any other OS you think I can use to emulate AD Server please tell me. Thanks, donh.

EDIT: I have also seen the OMV7 change to smb.conf, and sadly /etc/hosts .. chronyd .. /etc/resolv.conf .. and basically everything I need for it to connect

yew2362 · 16. März 2024

So today, I tried doing it today. And it has worked... Although, I'm not sure how I have done it as last time I did it, it failed.

donh · 16. März 2024

Great work! I will be getting rid of 2012 soon because it no longer gets updates. And I have retired and don't have to stay up on windows anymore. I guess I don't really need ad either. But how hard can it be. LOL

yew2362 · 16. März 2024

!! WARNING !!

I am not an expert in this field. I have got this working successfully. My AD DC Server is NOT a Windows Server and you WILL/MIGHT have to modify properties to get it working as you may wish. I am using a Samba AD DC (4), replicate this if you fail using Windows Server.

Thanks for reading this!

Background Data:

- Running on PiMox (Raspberry Pi Equivalent of Proxmox)

- Raspberry Pi 4b, 8 GB Edition

- The OpenMediaVault is ran as a VM

- The Active Directory is also ran as a VM on Debian 12

- My nr.01 Domain Server is dc01.home.local, manages DNS, you will have to modify /etc/hosts (may not be needed but incase)

- My Domain "forst" is home.local and for short I use "home". Anything including about the domain or short hand means YOU WILL have to modify this to get it working.

- In my AD DC server for some reason the Workgroup is HOME so you may also want to change that.

Setup:

1. I installed debian 12 (1 core, 2 GB Ram). Default, config is fine, just set ur hostname as I won't mention that (hostnamectl set-hostname <FQDN e.g nas02.home.local>

2. Ran the Install Script:

Code

sudo wget -O - https://github.com/OpenMediaVault-Plugin-Developers/installScript/raw/master/install | sudo bash

- Github: https://github.com/OpenMediaVa…-Developers/installScript

3. Go to server at http://[YOUR SERVER IP]/

4. Login as admin:openmediavault

5. Network > Interfaces, select your main interface and press the Edit (Crayon like icon)

6. Set the IPv4 to Static (Netmask is usually 255.255.255.0)

7. At advanced settings put your DNS Server (That also handles your AD DC Server)

8. At "Search domains" put your forest domain for me its home.local

9. Wait for "Pending configuration" and save.

=== EXTRA NOTE ( Forgot to add ) ====

Go to your DNS Server and add the new IP and the full FQDN of the server. This is to prevent some errors from happening when connecting the server via net ads join!

======================================

10. Go to http://[NEW IP ADDRESS]/

11. Login, change admin password ( safety reason)

12. System > Date & Time change "Time servers" to your AD DC Server address (dc01.home.local, home.local)

13. Wait for "Pending confiuration" and apply changes.

14. System > Plugins and look for "openmediavault-hosts" and download it. ( Thanks to the author, I don't need to use dnsmasq )

15. Network > Hosts and add the following line(s) for each DC server (change as required):

192.168.0.112 dc01.home.local home.local home

16. Save. Wait for "Pending configuration" and apply and save changes.

17. Go to /etc/krb5.conf and change and paste the following:

Code

[libdefaults]
    default_realm = HOME.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

19. Go to /etc/security/pam_winbind.conf and just paste the following:

Code

[global]
    krb5_auth = yes
    krb5_ccache_type = FILE

20. Do the following commands as sudo:

sudo apt install acl attr samba winbind libpam-winbind libnss-winbind krb5-config krb5-user dnsutils python3-setproctitle

21. Go to OMV then Services > SMB > Settings and change the workgroup as required. Then go down to extra options and paste and modify the follwoing ( LEAVE THE CAPITALS, CAPITALISED

Code

security = ads
kerberos method = secrets and keytab
realm = HOME.LOCAL
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config HOME : backend = rid
idmap config HOME : range = 10000-9999999
winbind use default domain = yes
username map = /usr/local/samba/etc/user.map

Alles anzeigen

22. Go to /usr/local/samba/etc/user.map ( you might need to make some directories, mkdir ) and paste and MODIFY the following (Change Administrator to admin or someone idk):

Code

!root = HOME\Administrator

23. Do the following command change Administrator to ur domain admin or someone who can join computers to domain

sudo net ads join -U Administrator

24. Go to /etc/nsswitch.conf and edit passwd and group from:

files systemd (winbind) to just "files winbind" e.g:

Code

passwd:         files winbind
group:          files winbind
shadow:         files systemd
gshadow:        files systemd

25. You can start Samba. You may have to restart the server for users and groups to work. Also make sure everything was completed as one little mistake can break it.

Sources:

- Samba Wiki Page (https://wiki.samba.org/index.p…_Samba_as_a_Domain_Member)

- "donh" from openmediavault forum (OMV 6.X AD Form helped some of this )

- Me, i researched this.

Thank you!

- yew2362

Code

I do not plan on giving support for this as I am not a big person in Long Term Support, so ask gpt or sm idk.

Jetzt mitmachen!