Join a Windows 2008R2 domain
OpenMediaVault 1.0 or higher
With Guide you are able to join a Windows domain with your OMV.
The major benefit with OMV 1.0 is the ability to choose a uid/gid range with higher values.
- LAB description
1 ESXi 5 host with some virtual machines :
1 windows 2008 R2 ad domain controller
1 OpenMediaVault 1.0.20
1 windows 7 64 bits member of the 2008 R2 domain
the domain controller has DNS and DHCP roles
Openmediavault has 1 ethernet interface configured with DHCP
Domain is : domain.local
windows 2008R2 hostname : srv-dc-01
omv hostname : omv
- Customizations or what you need to adapt to YOUR needs
a way to synchronize time between your DC, your OMV server and your domain member computers
the domain name (and therefore the workgroup)
the directory containing homedirs (probably something line /media/30fcb748-ad1e-4228-af2f-951e8e7b56df/YOURWORKGRP)
- Check IP configuration
Openmediavault has a DHCP assigned IP address. You should check its hostname and name resolution
- Check time and NTP
The LAB environment runs ESXi : time is synced on each VM boot and is sufficient for testing purpose. In production environment use VMware Tools and time sync agains the ESXi host or use NTP.
- Install required packages
You will asked for kerberos default domain : DOMAIN.LOCAL
- Kerberos configuration
Runs out of the box with default configuration. However you may edit /etc/krb5.conf as the following
- Test kerberos settings
kinit -V administrator (at) DOMAIN.LOCAL
Give administrator password
Test you got a ticket: klist
Destroy all tickets (and check with klist): kdestroy
- SAMBA settings
In OMV webGUI :
- enable SAMBA
- set Workgroup : DOMAIN
- tick "Enable user home directories". You may also tick "Set browseable".
- add extra options :
Read this post if you're under windows 8 to try a performance enhancement : http://forums.openmediavault.o…f=3&t=1493&p=24413#p24366
Test samba configuration: testparm
Disable winbind cache
edit /etc/default/winbind and uncomment the following
restart samba and winbind
This step is not required
If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX as the following
Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group .
- Join the domain
Argument createcomputer allows you to create the computer's account in an organisational unit (OU) and is not required.
- Enable authentication with winbind
- Check users and groups enumeration
getent passwd (you get local and AD users lists)
getent group (you get local and AD groups lists)
- Enable mkhomedir and umask
create the file /usr/share/pam-configs/my_mkhomedir with the following content
umask argument for mkhomedir didn't worked for me. pam_umask.so seems be a better option. Create the file /usr/share/pam-configs/umask with the following
Run the command pam-auth-update, enable Activate mkhomedir and Activate umask. The items Kerberos authentication, Unix authentication and Winbind NT/Active Directory authentication should be already enabled.
- Fix domain folder permission
In SMB/CIFS, extra confguration the special variable %D is used to distinguish domain users from OMV's local users. A folder will becreated upon first domain user connexion. However the folder will not allow domain users to traverse the folder and access their home directory. This need a fix. Create the folder where template homedir expects to find it, and adjust the owners and permissions. If your active directory contains a white space, ensure to escape it with a backslash.
- SSH login for AD users
In OMV webGUI enable SSH, disable root login (prefer su and sudo) and add this in Extra Options :
AllowGroups root ssh "domain users"
Please check "domain users is enclosed by double quotes and check this is the group name available in windows 2008 R2 (I'm french and I'm using a french windows 2008R2 : groups and users names are localized)
- Login against SMB or SSH
don't prefix username with domain. (eg: not DOMAIN.LOCAL/administrator; use administrator only)
Questions / Problems / Diskussions
Feel free to post in this: Join a Windows 2008 R2 domain with OMV thread.
Version 1.1 // 26.11.2014