OMV7 beta +Active Directory

    • Official Post

    This is beta. Use at your risk. I did it in a proxmox 8 vm. I take snapshots after a few steps so if it doesn't work I can rollback.


    This is basicly the same as the this post.

    More detail there for other AD etc.


    Install debian 12 as minimal as possible. Be sure to put in your domain.

    If network is not working use "omv-firstaid" to fix.

    Allow ssh

    update to current

    Install OMV.

    apt install dnsutils mmdb-bin mlocate


    Make sure dns resolves your AD server forward and reverse. Same for AD to OMV.

    Don't use /etc/hosts because it will cause problems down the road. OMV controles it!

    Optional: Install certificate for web server.


    This is mostly from: OMV 6.X (RC1) Active Directory

    With help from the community


    In web ui apply the changes after most modifications.


    Be sure these are correct


    If you use dhcp it may be ok but check these!


    Set ntp to domain time server and time zone

    realm join example.com -U donadmin

    If more than one use coma separator and no spaces


    Set network to static and domain dns servers


    Some apt installs will install some dependencies too.


    apt install realmd policykit-1


    realm discover example.com


    Should give details including "client-software: sssd"


    apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit-tools cracklib-runtime appstream ldap-utils sssd-dbus apt-config-icons gstreamer1.0-tools libsss-sudo gstreamer1.0-plugins-base libsss-simpleifp0


    realm join example.com -U donadmin


    sssctl domain-list


    Now go to the web interface, Services -> SMB/CIFS -> Settings




    apt install winbind libsss-sudo libnss-winbind libpam-winbind libwbclient0


    cp /etc/nsswitch.conf /etc/nsswitch.conf.bak


    nano /etc/nsswitch.conf and set these lines like this.

    Code
    passwd: files winbind systemd sss
    
    group: files winbind systemd sss
    
    shadow: files systemd sss
    
    gshadow: files systemd


    reboot


    Setup share and test.


    Feedback welcome.


    Thanks

    If you make it idiot proof, somebody will build a better idiot.

    Edited once, last by donh: Fingers not always connected to the brain. ().

    • Official Post

    Thanks for trying this. Be aware that some changes may be overwritten by updates. smb.conf is one example. If you make changes be sure to do it in the extra options section in the web ui.


    The page you linked looks very helpful. It is over a year old but should still be good.


    What AD are you connecting to.

  • My AD is not a Windows Server like yours, since I am broke and can't afford a x64 server or mini pc. So I'm stuck on a arm64 single board computer... So I have proxmox for Raspberry Pi (PiMox) with a debian 12.5.0 installation and I followed a guide about setting up samba as a Domain Controller if you also want to try make the same thing I have did the following guide since Samba is a big wordy for my brain to understand. (This is not a advertisement but to show how my servers work,

    External Content www.youtube.com
    Content embedded from external sources will not be displayed without your consent.
    Through the activation of external content, you agree that personal data may be transferred to third party platforms. We have provided more information on this in our privacy policy.
    ). But if you have any other OS you think I can use to emulate AD Server please tell me. Thanks, donh.


    EDIT: I have also seen the OMV7 change to smb.conf, and sadly /etc/hosts .. chronyd .. /etc/resolv.conf .. and basically everything I need for it to connect

  • !! WARNING !!

    I am not an expert in this field. I have got this working successfully. My AD DC Server is NOT a Windows Server and you WILL/MIGHT have to modify properties to get it working as you may wish. I am using a Samba AD DC (4), replicate this if you fail using Windows Server.

    Thanks for reading this!


    Background Data:

    - Running on PiMox (Raspberry Pi Equivalent of Proxmox)

    - Raspberry Pi 4b, 8 GB Edition

    - The OpenMediaVault is ran as a VM

    - The Active Directory is also ran as a VM on Debian 12

    - My nr.01 Domain Server is dc01.home.local, manages DNS, you will have to modify /etc/hosts (may not be needed but incase)

    - My Domain "forst" is home.local and for short I use "home". Anything including about the domain or short hand means YOU WILL have to modify this to get it working.

    - In my AD DC server for some reason the Workgroup is HOME so you may also want to change that.


    Setup:

    1. I installed debian 12 (1 core, 2 GB Ram). Default, config is fine, just set ur hostname as I won't mention that (hostnamectl set-hostname <FQDN e.g nas02.home.local>

    2. Ran the Install Script:

    Code
    sudo wget -O - https://github.com/OpenMediaVault-Plugin-Developers/installScript/raw/master/install | sudo bash

    - Github: https://github.com/OpenMediaVa…-Developers/installScript

    3. Go to server at http://[YOUR SERVER IP]/

    4. Login as admin:openmediavault

    5. Network > Interfaces, select your main interface and press the Edit (Crayon like icon)

    6. Set the IPv4 to Static (Netmask is usually 255.255.255.0)

    7. At advanced settings put your DNS Server (That also handles your AD DC Server)

    8. At "Search domains" put your forest domain for me its home.local

    9. Wait for "Pending configuration" and save.

    === EXTRA NOTE ( Forgot to add ) ====

    Go to your DNS Server and add the new IP and the full FQDN of the server. This is to prevent some errors from happening when connecting the server via net ads join!

    ======================================

    10. Go to http://[NEW IP ADDRESS]/

    11. Login, change admin password ( safety reason)

    12. System > Date & Time change "Time servers" to your AD DC Server address (dc01.home.local, home.local)

    13. Wait for "Pending confiuration" and apply changes.

    14. System > Plugins and look for "openmediavault-hosts" and download it. ( Thanks to the author, I don't need to use dnsmasq )

    15. Network > Hosts and add the following line(s) for each DC server (change as required):

    192.168.0.112 dc01.home.local home.local home

    16. Save. Wait for "Pending configuration" and apply and save changes.

    17. Go to /etc/krb5.conf and change and paste the following:

    Code
    [libdefaults]
        default_realm = HOME.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true


    19. Go to /etc/security/pam_winbind.conf and just paste the following:

    Code
    [global]
        krb5_auth = yes
        krb5_ccache_type = FILE

    20. Do the following commands as sudo:

    sudo apt install acl attr samba winbind libpam-winbind libnss-winbind krb5-config krb5-user dnsutils python3-setproctitle

    21. Go to OMV then Services > SMB > Settings and change the workgroup as required. Then go down to extra options and paste and modify the follwoing ( LEAVE THE CAPITALS, CAPITALISED :(

    22. Go to /usr/local/samba/etc/user.map ( you might need to make some directories, mkdir ) and paste and MODIFY the following (Change Administrator to admin or someone idk):

    Code
    !root = HOME\Administrator

    23. Do the following command change Administrator to ur domain admin or someone who can join computers to domain

    sudo net ads join -U Administrator

    24. Go to /etc/nsswitch.conf and edit passwd and group from:

    files systemd (winbind) to just "files winbind" e.g:

    Code
    passwd:         files winbind
    group:          files winbind
    shadow:         files systemd
    gshadow:        files systemd

    25. You can start Samba. You may have to restart the server for users and groups to work. Also make sure everything was completed as one little mistake can break it.


    Sources:

    - Samba Wiki Page (https://wiki.samba.org/index.p…_Samba_as_a_Domain_Member)

    - "donh" from openmediavault forum (OMV 6.X AD Form helped some of this )

    - Me, i researched this.


    Thank you!

    - yew2362


    Code
    I do not plan on giving support for this as I am not a big person in Long Term Support, so ask gpt or sm idk.
  • Thanks for this, the OP is working great on OMV 7 with Windows 2022 domain.


    Snapshots, previous versions etc - the whole lot exposed and correctly permissioned.


    :)

  • hi.

    I would share my recent troublesome but successful experience with OMV joining AD.

    I have 3 DCs running Windows Server 2019.

    My domain users do not need to log in to OMV setup or access their home folder. Only access shared folders.

    I tried everything that has been posted but most require installing unneeded packages.

    So, after several tests, I found the right config that suits my needs.


    Before start, check that your DCs does not have this policy configured (or at least it's configured to "Allow all" until the successful join):


    with gpedit.msc:

    Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network Security: Restrict NTLM: Incoming NTLM Traffic


    with regedit:

    go to: HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\

    and remove "RestrictReceivingNTLMTraffic" if present


    These steps work on any OMV 7 install. I tested both classic ISO and Debian based install.

    Note: follow the case of the input text, save and apply any change at every step.


    1. Set time server to one of the DCs

    System -> Date & Time

    Check Use NTP server

    Type in the full server name, in my case: dc0.homelab.priv


    2. Set hostname and domain name

    Network -> General

    Set hostname, in my case: OMV

    Set domain: homelab.priv


    3. Set static ip, dns, etc.

    Network -> Interfaces

    Select you network interface and edit

    Change IPv4 method to static and fill with your addresses.

    Set the DNS server to your DCs IP (use , or ; between each address), for me: 192.168.0.2,192.168.0.3

    Set search domains: homelab.priv


    4. Install needed packages

    # apt install krb5-config krb5-user winbind libnss-winbind libpam-winbind


    5. Edit krb5.conf

    # nano /etc/krb5.conf

    Delete everything and paste this:

    If you have only one DC remove the kdc entries for DC1 and DC2.


    6. Edit samba config

    Services -> SMB/CIFS -> Settings

    Change the workgroup to your domain short name, for me: HOMELAB

    Check "Enable NetBIOS"

    Paste the following parameters in the "Extra options" under "Advanced Settings"


    7. Edit nsswitch.conf

    # nano /etc/nsswitch.conf


    Change only these:

    Code
    passwd:         files winbind
    group:          files winbind
    shadow:         files winbind


    8. Join the domain

    # net ads join -U Administrator


    Enter the password for Administrator and it should join successful.


    9. Restart and check

    Restart OMV and now you should see the domain users and groups in the OMV settings.

  • @dohn,

    thanks for the steps. It worked.

    Just some tiny contributions in your post:

    Code
    ssctl domain-list[/tt]

    is a typo. The right command is

    Code
    sssctl domain-list

    It took my some minutes to figure it out.

    Another thing that could be more clear is that


    Quote
    "In samba settings extra options set this"

    should not be edited inside the shell, but in the web interface. It also took me to a path that i had to look were smb.conf is (which should e /etc/samba/smb.conf) but when i opened the file, it stated that it was generated by OMV. So a clearer instruction should direct to the admin panel. Suggestion:

    "Now go to the web interface, Services -> SMB/CIFS -> Settings "...


    At last:


    Quote

    nano /etc/nsswith.conf

    should be

    Code
    nano /etc/nsswitch.conf
  • Update:

    In my lab, it worked. But in my production environment, it didn't. I think it has something to do with dynamic DNS in samba,

    OMV 7 installed from iso;
    VM1: Windows 2022 Active Directory (192.168.0.4) and DNS Role
    VM2: PfSense DNS Resolve 2.7 on same network (192.168.0.254)

    Tried sssl only and sssl+winbind approaches, no success. Works only with local users with `getent passwd`.

    Acctually the ad users are not listed at all. I assume that if they are listed, they could be seen in web interface.


    root@hidro07:/# realm list

    mydomain.net

    type: kerberos

    realm-name: MYDOMAIN.NET

    domain-name: mydomain.net

    configured: kerberos-member

    server-software: active-directory

    client-software: sssd

    required-package: sssd-tools

    required-package: sssd

    required-package: libnss-sss

    required-package: libpam-sss

    required-package: adcli

    required-package: samba-common-bin

    login-formats: %U@mydomain.net

    login-policy: allow-realm-logins

    the strange thing is that `id username@mudomain.net` works

  • donh

    Update:

    Quote

    It is probably the uid are outside the range in /etc/login.defs. I am not sure why that happens some times and not others.



    yes, but /etc/login.defs was not necessary to be updated. Just increasing the range in smb options did the work.

    By the way, sssd worked for me just to login ssh; But else, nothing was working as expected. SMB login was not possible. And web interface was not accessing users and groups

    Then I tried to use just WINBIND approach. with net ads and smb.conf configuration (without any sssd)

    Bellow i paste my config smb.conf (as extra options in omv interface) .

    realm = YOURDOMAIN.NET.BR


    security = ads

    idmap config * : backend = tdb

    idmap config * : range = 10000-900000000

    winbind use default domain = yes

    winbind offline logon = yes

    winbind enum users = yes

    winbind enum groups = yes

    template shell = /bin/bash

    template homedir = /home/%U@%D

    /etc/nsswitch.conf was necessary also, but with no sss, just winbind.

    in shell


    Code
    sudo apt install samba winbind libnss-winbind libpam-winbind
    sudo pam-auth-update --enable mkhomedir --enable winbind --enable unix
    sudo net ads join -U AdministratorUserOfYourWon
    sudo systemctl restart smbd nmbd winbind
    systemctl status winbind.service


    this way, worked like a charm. Users can access the folders, and web interface can access the users in order to set permissions in shares;

  • I'm trying to setup OMV with authentication via OpenLDAP.


    The thing I'm still missing is samba authentication via LDAP...


    Here's what I've accomplished so far:

    • I've set up an lxc container with slapd
    • After a bit of struggle I managed to set up ldap-account-manager and phpldapadmin web interfaces on the container (also tried gosa, but no luck)
    • I can create/edit users and groups with ldap-account-manager web gui
    • I managed to integrate OMV machine (some services at least) with it via PAM/NSS
    • I can login via ssh and via OMV web gui using an ldap account
    • mount samba shares on another linux machine using a user locally created on the OMV machine

    What's not working:

    • mount samba shares using LDAP accounts. Authentication fails...

    I have installed sssd, but I haven't configured it yet. Although I didn't need sssd for ssh or web gui auth on OMV, so I'm wondering if I really need it for samba...


    Shall I look into winbind? Or perhaps this just a samba config thing? Or maybe just a matter of adding some extra attributes on LDAP?


    I know this thread is about integration in AD, but I'm wondering if anyone here was able to get this working with openldap/slapd...


    I found this thread, but it's 5 years old and unfortunately the OP didn't post back any update...

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!