Posts by scipio_americanus

    Hi Everyone,
    Just got around to upgrading to OMV 4. Wanted to share my steps to get SMB 3 share authentication working against my SAMBA AD server. Since I'm a security guy, this configuration only uses SMB 3 and Kerberos through sssd. Don't have to worry about legacy SMB protocols, weak NTLM hashes, NULL AD sessions, or plain text ldap calls.


    Install Needed Packages

    Bash
    apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit libwbclient-sssd -y



    Edit /etc/krb5.conf
    DNS is hard; especially regarding Kerberos. You probably have to add the following to your krb5.conf file.


    Bash: /etc/krb5.conf
    rdns = False


    Join the Domain



    Bash
    realm join -U <AD user with Domain Join right> REALM --verbose

    For Example,


    Code
    realm join -U lucifer AD.HAIL.SATAN.COM --verbose


    Edit /etc/sssd/sssd.conf to make sure the following are set under the domain configuration.


    Bash: /etc/sssd/sssd.conf
    use_fully_qualified_names = False
    fallback_homedir = /home/%u
    ad_gpo_access_control = permissive

    Example full sssd.conf file

    Edit /etc/login.defs
    Look up the uid value in your realm.


    Bash
    root@omv:~# id lucifer
    uid=166640342(lucifer) gid=166642256(domain users) groups=166642256(domain users),29(sudo)


    In this example, our generated id has 9 digits, so we set the following for UID_MAX and GID_MAX in /etc/login.defs.


    SMB/CIFS Advanced Options
    Set then following under Extra Options of the Advanced Settings Div in the SMB/CIFS configuration.



    You should now be able to see the AD users and groups in the OMV tab, and assign share permissions based on that.

    New to openmediavault, old to sssd. Just got this working on my new install.



    Install necessary tools. (Haven't seen libsasl2-modules-gssapi-mit as a dependency on any other online Debian guides, so I want to call it out here. This solved an issue I had with GSSAPI saying there were no SASL methods between my AD and OMV server).

    Bash
    apt-get update && apt-get upgrade -y && apt-get install sssd sssd-tools realmd krb5-user libpam-sss libnss-sss libsasl2-modules-gssapi-mit packagekit -y



    Join the domain using realmd.

    Bash
    realm join -U <sAMAccountName of AD user with Domain Join right> REALM --verbose


    For example, when joining the domain, AD.HAILSATAN.COM. (Note to DEVS: realm can accept a password from stdin. when scripting something like, echo $pcBuilderPass | realm join -U PCBuilder AD.HAILSATAN.COM --verbose totally works.)

    Bash
    realm join -U PCBuilder AD.HAILSATAN.COM --verbose


    Add the following configuration line to /etc/krb5.conf, because most people have their DNS setup like shit. This is a default in RHEL/CentOS. Solves the GSSAPI error (Server not found in kerberos database).



    Bash
    rdns = False


    Most people don't want to use FQDN's so make this sensible change to /etc/sssd.conf



    Bash
    use_fully_qualified_names = False
    fallback_homedir = /home/%u


    Restart sssd.



    Bash
    systemctl restart sssd


    And test the configuration by asking for id info on a domain user.



    Bash
    root@nas:~ id dtrump
    uid=126784105(dtrump) gid=116604512(domain users) groups=116604512(domain users),27(sudo),126514609(illuminati),121647812(democrat
    bankers),176635179(Continuity of Government),16554327(webfilterpornbypassforpres)


    You can then follow the great guide at Guide how to join OpenMediaVault 3.x in an Active Directory domain. for OMV specific tricks (setting up autofs, and /etc/logindefs).



    Hope this helps guys. Thanks for the awesome software.