Posts by dethegeek

    hi


    I'm the author of the tutorial.


    a) you must set the name of your workgroup. If your domain name is domain.com, your workgroup name must be DOMAIN. If your domain name is mycompany.lan it is MYCOMPANY


    b) the UID and GID of your users from your domain are very high numbers, because you left commented out the line ldap_id_mapping in sssd.conf. If you want to see the AD users in the user interface of OMV, you ned to set MAX_UID and MAx_GID to a value greater than the values ID of your AD users and groups. This documentation may help you: https://linux.die.net/man/5/sssd-ad


    c) nice to know. I may update the tutorial to warn about this important change. (Did I write a version for OMV 4.x ? I don't even remember).

    Description


    With this guide you are able to join a Windows domain (Either a Windows domain controller, either a Samba 4 domain controller) with your OpenMediaVault server.


    This is a new method to join a domain with sssd instead of Winbind. It is much more easy to setup, and is more reliable than winbind.


    However there is a drawback: if SSSD chooses himself UID and GID, the numbers seems to high to be available in OMV's UI. If the Directory provides UID and GID set by the administrator, and low enough (10000 for example), OMV is able to show them.


    This is currently a BETA, I successfully configured a fresh install of OMV 3 with these steps.


    Requirements

    • OpenMediaVault 3.0.83 or higher
    • A Samba 4 domain controller with uid and gid properties set for users and groups



    OMV Configuration


    Network settings


    • Check IP configuration

    Use the web UI to setup a fixed IP address, and a hostname with a domain name matching your domain.


    Open a terminal (locally ot with SSH) and check the hostname configuration of your OpenMediaVault.



    The first command allows you to check the server has the expected name. It may be whatever you want.
    The second command checks the suffix of your hostname. It must match the domain name of your domain controller.
    The third command checks that /etc/hostname matches your hostname. If it does not matches hostname -s, then update it.


    Packages installation
    Now install the requred packages to install and use SSSD.


    Bash
    root@my-server:~# apt-get install sssd realmd policykit-1 packagekit adcli
    root@my-server:~# realm discover -v domain.com
    root@my-server:~# realm -v join domain.com -U administrator --membership-software=adcli


    apt-get install sssd and required packages
    realm discover checks you can find your domain controller
    realm join .. well .. joins your domain. You need a specify the login of a administrator account, and the process will ask you its password. Some additional packages will be automatically installed.


    SSSD is running, you need to stop and reset its cache to tweak it.


    Configure SSSD


    Bash
    service sssd stop
    sss_cache -E
    rm /var/lib/sss/db/*


    Check /etc/sssd/sssd.conf and switch use_fully_qualified_names to False. This allows you to authenticate without specifying your domain.


    Read the Mapping algorithm paragraph of SSSD to determine if you want ldap_id_mapping or not. Either reading this page: https://linux.die.net/man/5/sssd-ad or either by reading it from OMV terminal.


    Code
    man sssd-ad


    If you want to disable ID mapping and use POSIX attributes in your AD, change also ldap_id_mapping to False. Doing this requires you set up uid and gid for all your users and groups in your directory.


    If you want to show your users in the OpenMediaVault web interface, you need to add at the bottonm of section [domain/domain.com] the parameter enumerate = True. However this is NOT recommended because it will slow down the server and generate network traffic with your domain controller. If you got a lot of users, you should consider keep its default value (False) and configure permissions with setfacl. The same issue occurs with Winbind, so it is useless to prefer Winbind to workaround this problem.


    Customize override_homedir to set the path containing your users home directories. You will bind a subtree of a filesystem here in next steps. This means this subtree will be available in 2 paths in OMV's filesystem.


    Here is an example of /etc/sssd/sssd.conf


    Restart SSSD.


    Code
    service sssd start


    The command realm also updates /etc/nsswitch to use sssd as a source. You do not need to update it yourself, but here is an example of what you should read in this file. Notice the word sss is added in some lines.



    Now sssd is up to date and running, try to find an existing user


    Code
    getent passwd johndoe
    johndoe:*:10000:10000:johndoe:/home/DOMAIN/johndoe:/bin/bash


    Enable mkhomedir
    create the file /usr/share/pam-configs/my_mkhomedir with the following content:

    Code
    Name: Activate mkhomedir
    Default: yes
    Priority: 900
    Session-Type: Additional
    Session:
    required pam_mkhomedir.so umask=0077 skel=/etc/skel


    Umask argument for mkhomedir didn't worked for me. pam_umask.so seems be a better option. Create the file /usr/share/pam-configs/umask with the following:

    Code
    Name: Activate umask
    Default: yes
    Priority: 800
    Session-Type: Additional
    Session:
    optional pam_umask.so umask=0077


    Run the command pam-auth-update, enable Activate mkhomedir and Activate umask.


    Configure Home directories


    In the OMV UI, open the users administration panel. Assuming you got at least one shared folder defined, choose the tab Settings and enable user home directories. Choose a device and set the path /users to store them. This path is important for the next step.


    Find the mounted data volume you want to use for your home directories. In this example, this is the last line. The path after "on" will be re-used to bind mount the volume in /home/domain.com.




    Edit /etc/fstab and bind mount your share to /home/domain.com. The line must be added after # <<< [openmediavault]. This is ensures it will not be overwritten when you edit OpenMediaVault's configuration.


    Code
    /srv/dev-disk-by-id-scsi-0QEMU_QEMU_HARDDISK_drive-scsi1-part1 /home/domain.com none bind 0 2


    Go in SMB/CIFS configuration, and enable SMB/CIFS.
    Set the Workgroup field to DOMAIN (uppercase, and match the word before the first dot of your domain name). Enable user home directories, and add the following on your extra options:


    If you're using OMV 4.X change the line
    dedicated keytab file = FILE:/etc/krb5.keytab
    into
    dedicated keytab file = /etc/krb5.keytab


    Save and apply changes.


    :!: Read this post if you're under windows 8 to try a performance enhancement : http://forums.openmediavault.o…f=3&t=1493&p=24413#p24366


    :!: This step is not required
    If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX. You need to choose a value higher than the highest UID and GID you can find in your directory. Here are the default values.

    Code: /etc/login.defs
    UID_MAX 60000
    GID_MAX 60000

    Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group .


    You should now be able to browse your home dir and shares if any with a user managed by your Directory server, from a workstation enrolled with SSSD. To setup SSSD on a workstation, do the same as this guide, and don't setup Samba (because it will probably not share files itself, thanks to OMV).

    Your setup seems fine since you can login with at least one user and they show when you issue getent passwd.


    I guess there is something going wrong when the UI tries to retrieve the users from the system, but I don't have knowledge about how the UI is designed.


    I found the following in the sources :


    https://github.com/openmediava…diavault/system.inc#L5660


    This code may be related to users enumeration for the UI. A debugging session here might help you to find out if it fails, and why.

    Hi


    I tried when I joined this thread, without success : I don't have enough knowledge on LXC, and after I found a few solutions or workarounds to the first compatibility issues I thought about software RAID and LVM : a LXC container is a filesystem only. I guess RAID and LVM won't be manageable.


    The only solution, I think, would be to have an OMV instance without RAID and LVM management enabled. It does not makes sense because OMV should manage this itself.


    I finally gave up and continued to run my OMV as a QEMU KVM machine (proxmox or libvirt, depending on my current taste).


    @c.monty : running OMV on a QEMU KVM machine is a waste of resource because it is full virtualization. Moreover, I was targetting to use OMV on a CPU without the required assisted virtualization features of KVM. That's why I was interested into LXC.

    Hi


    A few years ago I configured PAM to use an OpenLDAP directory. This is a pain. I don't use the LDAP plugin so L'll let someone to talk about it. I advice you to use a dedicated tool to edit your accounts, because this iw probably a good (or best ?) practice.


    If I remember correctly there is a plugin to host some websites on OMV. Again, I'm using a distinct (virtual) machine; that's why I'm not sure about that. This would be enough for you to host LAM, as it fits your need, and it will fulfill your requirement to manage your accounts a centrailzed way.

    Hi


    I agree the users should be edited from an other thing than OMV.


    If using an AD or Samba 4 you may use a windows computer with RSAT. It is easier when the computer is a member of the domain, or you need an awful command line to workaround.


    For Samba 4 I'm using Ldap account manager (free version) aka LAM. It needs a big setup first but it's more open that windows.


    LAM is also compatible with OpenLDAP.

    Hi again,


    As I recommended you to use RID backend, you should read the documentation here
    https://www.samba.org/samba/do…manpages/idmap_rid.8.html


    As I did not tried this backend, I cannot give you a baked and working smb.conf . I think you will be able to build your setup from my AD backend config and the documentation : only a few lines changes are needed


    Please note also you have to join the domain with
    net ads join -UAdministrator

    Hi


    Yes. However there are no plugin for OpenMediaVault to make the task easier (as far as I know).


    The two other main backends are RID and AD
    RID generates UIDs and GID from SID in a predictable way. This ensure consistent UIDs and GIDs across domain members (if they all use RID backend and the same ranges).


    AD needs you store UDs and GIDs in your dicrectory. This the current backend for my persoonal domain and an other I just setup this week an other entity. I prefer this because I have full control over these UIDs and GIDs.


    You have to setup your default realm on krb5.conf ( I never had to edit other things on a single domain environment)


    You have to setup your work group in OMV


    You will have to use (and customize) the following in SAMBA extra settings in OMV.


    All your groups in your AD MUST have a GID or getent group will not work (pre-build groups included). OMV seems to be dependent of getent group to enumerate groups in its UI.



    Try this snippet on a fresh OMV, and feel free to use it. Maybe this will help you to workaroud your timeout problem.

    Hi


    LDAP being very verbose, maybe you may workaround by using an other backend in samba. I suggest you try RID (without using LDAP plugin). However the UID and GID of your users may change after this setup. I strongly advice you to create a clean instance of OpenMediaVault to test it.


    By the way I know nothing about the GUI internals of OMV. Can someone tell me how OMV works when it retrived users and groups from the LDAP plugin ?


    I also strongly believe this would make sens tu create a plugin for OMV dedicated to others methods of using SAMBA against a domain controller. But I do not have time to work on it myself. I'm way too busy.

    Hi


    Depending on you domain controller type (AD, samba 4, OpenLDAP, other) you need to know where is your administrator account in the LDAP tree.


    I just installed an fresh OMV and LDAP plugin to see how it looks.


    Host : put here the ip of your domain controller. Alternatively you may try the DNS name of your controller, or the domain itself (if your name server is properly setup).
    Port : self explanatory, I guess you know what you have to put here
    SSL/TLS : probably disabled in your setup.
    Base DN : dc=home,dc=net
    root bind DN : the Distinguished Name of your administrator account; something like cn=administrator,dc=home,dc=net . I cannot guess it for you, it depends mostly on the type of your domain controller (samba 4, microsoft, OpenLDAP, ...)
    password : the password of your administrator account
    Users suffix : roughtly the "folder" where are your users. Often a Organisational Unit (or OU). It depends on your domain controller.
    group suffix: same s user suffix, for groups.
    Enable PAM : Pluggable Authentication Modules. I'm not expert on this. The plugin should do the magic for you. Enable it to let your LDAP users available as if they were local accounts.
    Extra options : see the documentation of the LDAP plugin. I guess you will not need it for now.
    Extra client options : same as Extra options.


    Do you have something to browse your LDAP directory ? If you're not sure about some fields (root bind dn, users and group suffix) you will need it.

    Hi


    I'm using a new method to join omv in a domain without using a LDAP server. It seems to work well and it is rather well documented in samba. Most users seem to use the RID backend. I prefer rfc2307.


    Anyway, this is rather easy.


    @abivarilan : the guide to join a windows 2012 ad is rather simple. My method is mostly the same.


    Are you able to read French ? I wrote my method in my own wiki, and I m lacking time to rewrite it here (in English) for now.


    https://howto-it.dethegeek.eu.…tager_via_CIFS/SMB_et_NFS
    This should work for windows AD and samba AD.


    If there is a good documentation about writing a plugin maybe I will find time to do it. I need help to do this.

    Hi


    I gave up running omv as lxc guest fit now because NFS will not run. Kernel space nfs does not work in lxc, and user space implementation lacks file lock feature. (It seems NFS has the same limitations in LXC as in openVZ.)


    I remember collects cannot run in LXC. I found this may be due to /etc/hosts not set up properly (maybe if you rename container's hostname). If collect cannot start upon its installation some packages will not be configured, leaving the container in a unstable state.


    Choose a name for your container before creating it. Create it : lxc-create (some args) -n container-name


    Start your container and check its setup :
    hostname -s
    hostname -d
    hostname -f


    They should return respectively the short name of your container, the domain of your container and the fqdn of your container.


    In /etc/hosts there is a line starting by 127.0.0.1
    The names found in this line should be the the name of your container, its fqdn and literally localhost.


    I'm not sure about the order of these 3 names, try to reorder them if you fail to restart collectd.
    Apt a get install collectd
    # fix /etc/hosts if still needed
    service collected restart
    apt-get install -f


    #install OMV on top of jessie
    # instructions available on the forum, easily found via Google.


    For your information I prefer run OMV as hosts for my containers to ensure a fully working file server. I think this is a bad idea to make a block device available in a container, because this configuration depends on the order and the number of HDDs in the host. Adding a HDD may break things.


    If you're interested I managed to install LXC, sssd and realmd from wheezy-backports without breaking OMV.


    EDIT : realmd is not available in backports, it is available in jessie onwards.

    Hi


    I'm coming back, sorry for the very long delay; I'm way too busy.


    There is no best way to use winbind on OMV. I believe there are lots of considerations depending on your knowledge, the file server implemetnation and the DCs implementation.


    I'm having some good (first) results with sssd and realmd, which should be useful for you. Here are my notes (consider this is a draft which may contain some small issues) https://howto-it.dethegeek.eu.…ation_d.27un_client_Linux


    The client part you should read is rather short and easy to follow, and realmd does most of the hard work. I will test very soon this method on OMV (with some packages from Jessie).


    Compared to my previous setup with an external LDAP implementation, the new method is way easier, less error prone, it should work well for both Microsoft and Samba domains and is easier to apply on non debian based flavors.. I think this should be interesting for you.


    To answer your question about the mappings :
    TDB = a local id mapping for each computer (UID and GID may vary from a computer to an other and this is what you DON'T want)
    LDAP = centralized mapping, beut you already have a LDAP. I think this will add weakness to your infrastructure
    RID = amlgorithm based mapping. Each computer will maintain its own mapping, but UIDs and GIDs shoud be the same by design. I think this not for me, and probably not for many others administrators. This is a personal opinion without any experience. I may be slightly wrong about its descripton. Check the documentation.


    I believe one of the best ways is to maintain the IDs in the Directory if available. In your case ClearOs does this with its integrated LDAP. you should check it is RFC2307 compliant. If so, sssd may work. Read the docs about realmd; this is very short, straightforward. If it does not works, you will lose few time compared to a pure samba / winbind setup.