Join a Windows 2008 R2 domain with OMV

  • Yeah, great stuff. Thank you dethegeek! Will try that in the next days on a testing machine.

    Homebox: Bitfenix Prodigy Case, ASUS E45M1-I DELUXE ITX, 8GB RAM, 5x 4TB HGST Raid-5 Data, 1x 320GB 2,5" WD Bootdrive via eSATA from the backside
    Companybox 1: Standard Midi-Tower, Intel S3420 MoBo, Xeon 3450 CPU, 16GB RAM, 5x 2TB Seagate Data, 1x 80GB Samsung Bootdrive - testing for iSCSI to ESXi-Hosts
    Companybox 2: 19" Rackservercase 4HE, Intel S975XBX2 MoBo, C2D@2200MHz, 8GB RAM, HP P212 Raidcontroller, 4x 1TB WD Raid-0 Data, 80GB Samsung Bootdrive, Intel 1000Pro DualPort (Bonded in a VLAN) - Temp-NFS-storage for ESXi-Hosts

  • Hi


    @Sunnyg : this guide is not intended to make OMV a LDAP server because an AD is already a LDAP server :)


    Why do you need a LDAP server in OMV ? Is this only to build a directory without a closed source software (I mean : windows ) ?

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Yo, dee ;)
    After months i've upgraded OMV from 0.5.6 to 1.21


    And the only option i needed to change was installing the missing package "libnss-winbind" to get my users back into OMV ;)
    I've updated my extra-settings and removed the deprecated idmap-entries ...
    I'll test the "performance settings" again for win 8.1 and add feedback here ...


    greetz


    Rico

    running OMV 2.2.1
    with : SnapRAID - AUFS - TVheadend

  • Hi


    Good job, El Muchacho.


    I'm happy to see the tutorial still works after so many changes in OMV ;)

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hello everyone!.
    First of all, I would like to clarify that English is not my native.
    after this, thanks for the post, was very usefull for me.


    chase after two-week, domain administrator achieves join the domain, I can get the list of users and groups with wbinfo..


    wbinfo -u
    get me like +40k Users.


    olso auth and info works:


    Code
    root@NasGics:~# wbinfo --authenticate=myuser
    Entermyuser's password:
    plaintext password authentication succeeded
    Enter myuser's password:
    challenge/response password authentication succeeded
    root@NasGics:~# wbinfo -i mysuer
    myuser:*:9400:9408::/home/myuser:/bin/bash
    root@NasGics:~#


    here is my problem:


    Code
    root@NasGics:~# getent passwd


    show to me, only the local users. not the +40k Ad users, and obviusly cant see the AD users in the web gui.


    here are my configs files:










    Before posting, I take a long time trying to make it work ?( . Any suggestions are welcome,
    thank you very much

  • Hi


    First, I'd like to warn you this tutorial has not been tested (at least by me) on a huge amount of users. You should consider disabling two settings to improve performance. This is an common advice for a setup like yours.


    Code
    winbind enum users = no
    winbind enum groups = no


    Changing these settings will prevent you to enumerate your AD users with getent passwd and getent group though.


    After reading your configuration files, I believe you're using my second tutorial, with an OpenLDAP server. Good choice if you got several linux servers or computers using shares available in your OMV server. I warn you : this is a single point of failure. I highly recommend you move OpenLDAP on a dedicate computer or VM, with a least one other OpenLDAP computer or VM, with a replication system between them. This improvement should help you to build a failure tolerant setup.


    Now, about your configuration files :


    I feel you merged something from my tutorial and an other source. Can you tell me which other documentation you used ? Can you also tell which version of OpenMediaVault you're using ? the settings in smb.conf will vary depending on the version of samba. I had big headache to make it work after switching to Debian Wheezy due to deprecated config lines.


    I notice you added both winbind ldap in nsswitch.conf . I believe this is not necessary. winbind should be sufficient.


    About your issue getent passwd returning only your local users : I had this often when I configure samba with my method. Try getent group. If it shows your groups from your AD, then try to reboot the OMV server. I noticed this is often sufficient to solve the issue (and it never occurs again).

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • The Tutorial is very great. I setup 2 OMV machines and it works. But there are two small problems, perhaps someone can help me.


    First: One OMV machine was a new installation with version 1.17, there I can see the AD user and groups in the webGUI and can also select them for samba shares. The other OMV machine was upgraded from 0.9 to 1.17. On this machine I cannot see the AD users and groups in the webGUI. On both machines I followed the tutorial.


    Second: I changed the lastname of one user in AD. The loginname has the format firstname.lastname. getent passwd shows the new login name. I restarted the server and also cleared the winbind cache but ls -l shows the old loginname. The problem now ist, that the user can login with the new loginname but have no access to the shares (samba). Login with the old username didn't work. The user id didn't changed. In this case it is 10012. chown with the new username works but ls -l shows the old username. Anywhere the user get cached but the reboot didn't solved it. Any ideas?

  • Hi BX787


    About your first issue affecting your second OMV server : check the UID and the GID are in [UID_MIN, UID_MAX] and [GID_MIN; GID_MAX] in the file /etc/login.defs. I'll make a new tutorial with a different method for OMV 1.X and 2.x to get rid of winbind and use several domains.


    For your user UID=10012, which shares your user cannot access to ? Only his homedir ?

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • login.defs looks fine doesn't it?


    The user 10012:
    I tried to access every samba shares. If i use the new loginname. I get imediantly the login promt which shows an authentication failure. If i use the old login name, it takes about one minute until i get the login prompt which shows the authetication failure.


    getent passwd shows the right loginname "firstname.lastname:*:10012:10000:Firstname Lastname:/home/DOMAIN/firstname.lastname:/bin/false"


    but "ls -l /home/DOMAIN" shows the old loginname "drwx--S--- 6 firstname.oldlastname users 4096 Sep 4 2014 firstname.lastname"

  • Hi


    login.defs is OK


    I think you should rename the home directory to match the new username.
    Check also you changed UPN and samaccountname in your AD to match your new name. Maybe you changed only one of them.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi


    Enable user enumeration and search for your user :
    File smb.conf :

    Code
    winbind enum users = yes


    Can you also give the result of these commands ?


    getent passwd -s winbind | grep usernamealternatively, this should also work : getent passwd username
    # will return an SID, check if it is the same as the SID in your AD
    wbinfo -n username


    # will convert your SID into name; replace SID by the previously found SID
    wbinfo -s SID


    # will return the uid of your SID; replace SID by the one you found with wbinfo -n username
    wbinfo -S SID


    You may also want to check wbinfo --help to find other useful diagnosis commands, if you feel some of them useful.


    If all your commands returns correct values, test authentication for this user (assuming you know his password)
    # will ask for a password
    wbinfo -K username


    If this fails, try to test authentication for an other user, just to ensure again your issue affects a signle user.
    wbinfo -K otherusername

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Thank you very much for your help!


    Quote

    Enable user enumeration and search for your user :
    File smb.conf :

    Code
    winbind enum users = yes


    Already set.



    Quote

    getent passwd -s winbind | grep usernamealternatively, this should also work : getent passwd username


    Code
    getent passwd -s winbind | grep firstname
    firstname.lastname:*:10012:10000:Firstname Lastname:/home/DOMAIN/firstname.lastname:/bin/false


    Quote

    wbinfo -n username


    Code
    wbinfo -n firstname.oldlastname
    failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
    Could not lookup name firstname.oldlastname
    wbinfo -n firstname.lastname
    S-1-5-21-2801314209-1527081043-3091591741-1137 SID_USER (1)


    Quote

    wbinfo -s SID


    Code
    wbinfo -s S-1-5-21-2801314209-1527081043-3091591741-1137
    DOMAIN\firstname.lastname 1


    Quote

    wbinfo -S SID


    Code
    wbinfo -S S-1-5-21-2801314209-1527081043-3091591741-1137
    10012


    Quote

    You may also want to check wbinfo --help to find other useful diagnosis commands, if you feel some of them useful.


    Code
    wbinfo -a firstname.lastname
    Enter firstname.lastname's password:
    plaintext password authentication succeeded
    Enter firstname.lastname's password:
    challenge/response password authentication succeeded


    Quote

    wbinfo -K username


    Code
    wbinfo -K firstname.lastname
    Enter firstname.lastname's password:
    plaintext kerberos password authentication for [firstname.lastname] succeeded (requesting cctype: FILE)
    credentials were put in: FILE:/tmp/krb5cc_0


    Quote

    If this fails, try to test authentication for an other user, just to ensure again your issue affects a signle user.
    wbinfo -K otherusername


    Code
    wbinfo -K firstname.oldlastname
    Enter firstname.oldlastname's password:
    plaintext kerberos password authentication for [firstname.oldlastname] failed (requesting cctype: FILE)
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error message was: No such user
    Could not authenticate user [firstname.oldlastname] with Kerberos (ccache: FILE)


    I think winbind and kerberos works fine. But i didn't understand why "ls -l" shows the old username as file owner but "chown newusername" works without problems. After chown with the new username "ls -l" shows the old username.


    I did "ls -l" again and saw that now the username is the new one. Auth via samba now works. Either the commands above helped or a cache ttl was reached (but I already restarted the server and manually cleared the winbind cache, so i think the commands did the job).


    OKAY. Again thank you for your help!


    Now one problem left. I cannot see the user/groups in the webgui. Any idea?


    Also solved. I can see the user and groups now but i don't know why. Perhaps the commands above or a cache ttl?

  • Hi


    Good news your issue is solved, but this would be useful to understand what happened. In my experience winbind is sometimes unpredictable, and I saw it finaly worked well unexpectedly.


    I will upgrade my OMV 0.5 to 2 in a few month, and I'll use a new method to connect to an AD / samba 4. Have a look on sssd, available at least on Debian 7. It is easier to setup, and as I read somewhere, it appears to be the preferred method.


    If you want to try it, I may tell you how to set it up.

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hi,


    sorry for my late answer.


    Since the failure is gone both systems works very good and stable. Perhaps i will test sssd in a virtual machine if I find some time. But for now everything works and I don't know what exectly happened.

  • My first post after a day trying to bring OMV to talk to Clearos (Centos/RHEL) as a computer...


    I think it is related to the very first post of this thread: trying to join OMV to a windows directory on a ldap/samba server.


    The tutorial stops working when I try to set up kerebos as I don't have domail.local but rather a domain.lan that is outside ovm, means on clearos (where kerebos isn't running or configured)


    so the kinit command won't work when I register domain.lan on setup.


    With the ldap-plugin I get different SIDs on Clearos and OMV, thats why I never can connect to OMV (It's fine for users and groups, but as Clearos has it's own sambaSIDs, they don't match when I register on a user level). I just set the SID of OMV to match Clearos in ldap as a workaround - it works, but I don't think this is the way to do it?!


    Is there a tutorial for joining a linux setup like this?


    Do I need the kerebos stuff at all, or just the winbinds?


    How do I join OMV as a Computer (there is a winadmin already on Clearos) to my LDAP setting on Clearos?


    Any hints. links, help appreciated!


    Bernd


    OVM 1.9 with Backkernels / Clearos 6.6

    OMV 2.1.1 with backport-kernel 3.16
    Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

  • Hi


    The tutorial has been writen for a Microsoft AD server. However it should run with a Samba 4 domain too (I'm working on a setup based on sssd, but the former setup described in the tutorial will worlk) . I assume a Samba 3 DC will not be sufficient.


    Can you provide
    - the samba version running on ClearOS 6.6
    - the command whick is not working
    - the erreor tou get ?

    My wiki : http://howto-it.dethegeek.eu.org


    = latest setup =
    proxmox VE 6 hypervisor on a J1900 CPU + 8GB RAM
    guests : OpenWRT (VM), OMV 5 (VM), Samba 4 domain controller (LXC)
    OMV alive since 2011 I guess : never crashed, always upgraded : stronger than my hard drives.


    Searching for a P2P online storage solution : must be open source, client side encrypted, quota supprt. Tahoe LAFS is the nearest, but is lacking quota. Would be perfect to build a OMV based, anonymous online storage for backups

  • Hello,


    thank you for your answer.
    - Yes it's samba 3.6.23-14 right now, I think Clearos7 will have Samba 4.
    - the command and fail is:

    Code
    root@myomv:/etc# kinit -V administrator@MYCLEAROSDOMAIN.LAN
    Using default cache: /tmp/krb5cc_0
    Using principal: administrator@MYCLEAROSDOMAIN.LAN
    kinit: Cannot resolve servers for KDC in realm "MYCLEAROSDOMAIN.LAN" while getting initial credentials


    The dns server is running on Clearos and OMV is pointing to it.


    Bernd

    OMV 2.1.1 with backport-kernel 3.16
    Antworten/ Answers/ Réponse: deutsch - english - français und/and/et Linux :)

    Edited once, last by lebernd ().

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!