Join a Windows 2008 R2 domain

  • Join a Windows 2008R2 domain

    OpenMediaVault 1.0 or higher

    With Guide you are able to join a Windows domain with your OMV.
    The major benefit with OMV 1.0 is the ability to choose a uid/gid range with higher values.


    • LAB description

    1 ESXi 5 host with some virtual machines :
    1 windows 2008 R2 ad domain controller
    1 OpenMediaVault 1.0.20
    1 windows 7 64 bits member of the 2008 R2 domain

    the domain controller has DNS and DHCP roles
    Openmediavault has 1 ethernet interface configured with DHCP

    • Settings

    Domain is : domain.local
    windows 2008R2 hostname : srv-dc-01
    omv hostname : omv

    • Customizations or what you need to adapt to YOUR needs

    a way to synchronize time between your DC, your OMV server and your domain member computers
    the domain name (and therefore the workgroup)
    the directory containing homedirs (probably something line /media/30fcb748-ad1e-4228-af2f-951e8e7b56df/YOURWORKGRP)

    OMV Configuration

    • Check IP configuration

    Openmediavault has a DHCP assigned IP address. You should check its hostname and name resolution

    omv:/# host domain.local
    domain.local has address
    omv:/# hostname -f

    • Check time and NTP

    The LAB environment runs ESXi : time is synced on each VM boot and is sufficient for testing purpose. In production environment use VMware Tools and time sync agains the ESXi host or use NTP.

    • Install required packages
    apt-get update
    apt-get install krb5-user krb5-clients libpam-krb5 winbind libnss-winbind

    You will asked for kerberos default domain : DOMAIN.LOCAL

    • Kerberos configuration

    Runs out of the box with default configuration. However you may edit /etc/krb5.conf as the following

    • Test kerberos settings

    kinit -V administrator (at) DOMAIN.LOCAL

    Give administrator password

    Test you got a ticket: klist

    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator (at) DOMAIN.LOCAL
    Valid starting Expires Service principal
    01/28/13 13:28:58 01/28/13 13:38:58 krbtgt/DOMAIN.LOCAL (at) DOMAIN.LOCAL

    Destroy all tickets (and check with klist): kdestroy

    • SAMBA settings

    In OMV webGUI :

    • enable SAMBA
    • set Workgroup : DOMAIN
    • tick "Enable user home directories". You may also tick "Set browseable".
    • add extra options :

    :!: Read this post if you're under windows 8 to try a performance enhancement : http://forums.openmediavault.o…f=3&t=1493&p=24413#p24366

    Test samba configuration: testparm

    Disable winbind cache
    edit /etc/default/winbind and uncomment the following

    #WINBINDD_OPTS = "-n"

    restart samba and winbind

    service samba stop
    service winbind restart
    service samba start

    :!: This step is not required
    If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX as the following

    UID_MAX 60000GID_MAX 60000

    Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group .

    • Join the domain

    Argument createcomputer allows you to create the computer's account in an organisational unit (OU) and is not required.

    omv:/# net ads join -U administrator createcomputer=servers/linux
    Enter administrator's password:
    Using short domain name -- DOMAIN
    Joined 'OMV' to realm 'domain.local'

    • Enable authentication with winbind

    edit /etc/nsswitch.conf

    passwd: compat winbind
    shadow: compat
    group: compat winbind


    • Check users and groups enumeration

    getent passwd (you get local and AD users lists)
    getent group (you get local and AD groups lists)

    • Enable mkhomedir and umask

    create the file /usr/share/pam-configs/my_mkhomedir with the following content

    Name: Activate mkhomedir
    Default: yes
    Priority: 900
    Session-Type: Additional
    required umask=0077 skel=/etc/skel

    umask argument for mkhomedir didn't worked for me. seems be a better option. Create the file /usr/share/pam-configs/umask with the following

    Name: Activate umask
    Default: yes
    Priority: 800
    Session-Type: Additional
    optional umask=0077

    Run the command pam-auth-update, enable Activate mkhomedir and Activate umask. The items Kerberos authentication, Unix authentication and Winbind NT/Active Directory authentication should be already enabled.

    • Fix domain folder permission

    In SMB/CIFS, extra confguration the special variable %D is used to distinguish domain users from OMV's local users. A folder will becreated upon first domain user connexion. However the folder will not allow domain users to traverse the folder and access their home directory. This need a fix. Create the folder where template homedir expects to find it, and adjust the owners and permissions. If your active directory contains a white space, ensure to escape it with a backslash.

    mkdir /home/DOMAIN
    chmod 0755 /home/DOMAIN
    chown root:domain\ users DOMAIN

    • SSH login for AD users

    In OMV webGUI enable SSH, disable root login (prefer su and sudo) and add this in Extra Options :
    AllowGroups root ssh "domain users"

    Please check "domain users is enclosed by double quotes and check this is the group name available in windows 2008 R2 (I'm french and I'm using a french windows 2008R2 : groups and users names are localized)

    • Login against SMB or SSH

    don't prefix username with domain. (eg: not DOMAIN.LOCAL/administrator; use administrator only)

    Questions / Problems / Diskussions
    Feel free to post in this: Join a Windows 2008 R2 domain with OMV thread.

    Version 1.1 // 26.11.2014

    My wiki :

    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.

    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

    Edited 2 times, last by WastlJ ().

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!