Posts by scipio_americanus

    Hi Everyone,
    Just got around to upgrading to OMV 4. Wanted to share my steps to get SMB 3 share authentication working against my SAMBA AD server. Since I'm a security guy, this configuration only uses SMB 3 and Kerberos through sssd. Don't have to worry about legacy SMB protocols, weak NTLM hashes, NULL AD sessions, or plain text ldap calls.

    Install Needed Packages

    apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit libwbclient-sssd -y

    Edit /etc/krb5.conf
    DNS is hard; especially regarding Kerberos. You probably have to add the following to your krb5.conf file.

    Bash: /etc/krb5.conf
    rdns = False

    Join the Domain

    realm join -U <AD user with Domain Join right> REALM --verbose

    For Example,

    realm join -U lucifer AD.HAIL.SATAN.COM --verbose

    Edit /etc/sssd/sssd.conf to make sure the following are set under the domain configuration.

    Bash: /etc/sssd/sssd.conf
    use_fully_qualified_names = False
    fallback_homedir = /home/%u
    ad_gpo_access_control = permissive

    Example full sssd.conf file

    Edit /etc/login.defs
    Look up the uid value in your realm.

    root@omv:~# id lucifer
    uid=166640342(lucifer) gid=166642256(domain users) groups=166642256(domain users),29(sudo)

    In this example, our generated id has 9 digits, so we set the following for UID_MAX and GID_MAX in /etc/login.defs.

    SMB/CIFS Advanced Options
    Set then following under Extra Options of the Advanced Settings Div in the SMB/CIFS configuration.

    You should now be able to see the AD users and groups in the OMV tab, and assign share permissions based on that.

    New to openmediavault, old to sssd. Just got this working on my new install.

    Install necessary tools. (Haven't seen libsasl2-modules-gssapi-mit as a dependency on any other online Debian guides, so I want to call it out here. This solved an issue I had with GSSAPI saying there were no SASL methods between my AD and OMV server).

    apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit -y

    Join the domain using realmd.

    realm join -U <sAMAccountName of AD user with Domain Join right> REALM --verbose

    For example, when joining the domain, AD.HAILSATAN.COM. (Note to DEVS: realm can accept a password from stdin. when scripting something like, echo $pcBuilderPass | realm join -U PCBuilder AD.HAILSATAN.COM --verbose totally works.)

    realm join -U PCBuilder AD.HAILSATAN.COM --verbose

    Add the following configuration line to /etc/krb5.conf, because most people have their DNS setup like shit. This is a default in RHEL/CentOS. Solves the GSSAPI error (Server not found in kerberos database).

    rdns = False

    Most people don't want to use FQDN's so make this sensible change to /etc/sssd.conf

    use_fully_qualified_names = False
    fallback_homedir = /home/%u

    Restart sssd.

    systemctl restart sssd

    And test the configuration by asking for id info on a domain user.

    root@nas:~ id dtrump
    uid=126784105(dtrump) gid=116604512(domain users) groups=116604512(domain users),27(sudo),126514609(illuminati),121647812(democrat
    bankers),176635179(Continuity of Government),16554327(webfilterpornbypassforpres)

    You can then follow the great guide at Guide how to join OpenMediaVault 3.x in an Active Directory domain. for OMV specific tricks (setting up autofs, and /etc/logindefs).

    Hope this helps guys. Thanks for the awesome software.