Posts by vk2amv

    Hi all,

    New user to Openmediavault here.

    Been doing some testing recently as I have a Windows file server that I am planning to upgrade after about 11 years of solid service (Down to my last 300 GB free on a 14TB RAID5 array built in 2010) and I want to go from hardware RAID to ZFS storage. (I don't like FreeBSD so TrueNAS is out so I want to go with a Linux based NAS that can do ZFS.)

    I am liking my experience with Openmediavault so far, and it has even got me experimenting with Docker, something I have avoided for a long time as up til now I have normally just spun up a full new VM in VMWare ESXi whenever I have a new service I want to run, but I can see a few use cases for Docker for me now.

    I have built a couple of test servers in VMWare ESXi to test different things and been making good progress.

    The thing that held me up was reliable and easy Active Directory integration.

    I have an Active Directory, Domain Controller running on a Windows 2019 server and I want to keep centralized authentication from that DC.

    I know that subject has been discussed at length before in multiple threads on these forums, and the main two threads that I based my initial experimentation off being

    Guide to OMV 4 Active Directory Integration

    Active Directory / LDAP Revisited

    The older guides in those threads use SSSD, and the newer guides near the end use WindbindD
    While SSSD does work and it will successfully pull users from AD into the Linux PAM and I things like sudo and SSH group settings pulled successfully from AD and displayed in the OMV web interface, I discovered when I want to create some test shares that Samba discontinued support for SSSD in version 4.8.
    And the current version of OMV 5 uses Samba 4.9 so that was a dead end.

    Another guide towards the end of one of those threads uses WinbindD.

    That also works.

    And Samba was happy to use it as well.
    It pulled my groups and users from AD and I could see them in the web interface, settings groups for sudo and SSH access using AD groups also worked.

    However I discovered that WinbindD reliability is a bit hit and miss, especially pulling user updates regularly from AD (eg it took half an hour after I added a user to a group in AD before WindbinD finally updated), and available troubleshooting tools for WinbindD are a bit lacking, lastly it is a rather ancient piece of software.

    Then a mate put me onto PBIS Open as he swears by it because he uses it for Linux server AD integration for literally hundreds of Linux machines at a few companies he contracts for.

    This ended up being by far the easiest of all the AD suggestions I read about to get working.

    Took me about 3 minutes to have the server joined to my domain, and then another 5 minutes to have Samba sharing things using AD users, and 5 more minutes to have sudo and SSH groups working from my domain controller.

    I found the previous guides from those earlier threads, while very well meaning, difficult to follow and took a lot of time for me to get the domain join working.

    And in the case of SSSD I ended up with a wasted effort.

    So I decided I would put something back into the community by writing a guide for easy AD integration using pbis open.

    I will go through the exact steps I took to get pbis open working, and at the bottom I will link the references I used to figure these steps out.

    In my case my domain is - home.local

    The server name for the OMV test server is - omvpbistest

    The domain user I used for the join was - administrator

    However when I setup the final server instead of these test servers I will use a dedicated domain user for this instead of the domain administrator user for the join.

    First install make sure your server is up to date.

    You need to connect to your server via SSH and then sudo to root and then run apt upgrade

    sudo -i
    apt update && apt upgrade -y

    Next install pbis open.

    Download the latest release from here

    At time of writing this post the current version is 9.1.0 so the command would be


    Make the script executible

    chmod +x ./

    Run the script we made executable just above to install pbis open then change to the pbis open directory

    cd /opt/pbis/bin/

    Next join to your domain.

    The format of the command is

    domainjoin-cli join [DomainName [DomainAccount]

    in my case the exact command I used was was

    domainjoin-cli join home.local administrator

    Check your domain join status with the command

    domainjoin-cli query

    After a short time your users should populate over to your OMV server.
    You can confirm you see your domain users and groups by using the commands

    getent passwd
    getent group

    Take note of the UID and GID that is being populated from the domain.
    In my case one of the lines returned from that command above was



    The UID's coming from my domain controller are a pretty high number, much higher than the standard Linux UIDs, so you have to edit login.defs so they show up in the OMV web admin.

    Easiest way is to take note of how long the UID numbers are, and just make a number from that.

    eg in my case the UID above is

    so the number I went with is (I just matched the number of digits)


    Yes I know it is excessive, but it worked.
    There is likely a better way to do this step so I am happy to hear suggestions.

    Edit the file /etc/login.defs with your favourite text file editor. (I use VIM myself)

    Find these 2 lines


    Make copies of those 2 lines (In case you ever want the original value in the future) and comment out the copies by adding a # at the beginning of the copied lines.

    Then put in the number you worked out above in the original lines.


    UID_MAX 999999999
    GID_MAX 999999999

    Save the file.

    The AD users and groups should now show up in the OMV web admin.
    At worst case it may require a reboot of the server, but I did not require a reboot myself for them to show up.

    Lastly we connect Samba to pbis open so AD auth for Samba shares will work.

    cd /opt/pbis/bin/
    ./samba-interop-install --check-version
    ./samba-interop-install --install

    In the OMV web admin in the Samba page you change a couple of settings.

    The WORKGROUP setting you change to the base part of your domain.

    In my case for my domain home.local I put in HOME

    And in the extra options window down the bottom I put the following - NOTE you will have to change the "realm", and "netbios name" lines for your own setup.

    realm = HOME.LOCAL
    security = ADS
    machine password timeout = 0
    netbios name = omvpbistest
    client signing = yes
    client use spnego = yes
    kerberos method = secrets and keytab

    After those steps I could create Samba shares, and assign permissions using the ACL in the "Shared Folders" section of OMV web admin and everything worked as expected.
    I could set Group permissions as well as individual User permissions all pulling authentication from my Domain Controller.

    Side note the username format to use when connecting to a samba share will be your full domain username prefixed with the domain itself - domain\username eg home\administrator

    Lastly for the power users, you may want to enable SSH and SUDO permissions for some domain users.

    I created 2 Domain groups on my domain controller, ssh and sudo

    When I run the command

    getent group

    They show up in the list like this




    To enable SSH access for the domain ssh group you edit the file - /etc/ssh/sshd_config

    Find the line - AllowGroups

    and add the group to the end of that line.
    After adding it my line looks like

    AllowGroups root ssh HOME\ssh

    Save the file and restart the SSH service with the command - service ssh restart

    To enable SUDO access for the domain sudo group you edit the sudoers file using - visudo

    In my example for my own domain I added the lines at the bottom of the file

    #Allow AD sudo group to sudo
    %HOME\\sudo ALL=(ALL:ALL) ALL

    After those 2 changes I could then login into the OMV server using any domain user that was a member of the - HOME\ssh group

    And I could also run sudo for any user that was ALSO a member of the - HOME\sudo group

    Small note the username to login with for SSH to use will be like Samba, in the format of - domain\username eg home\administrator

    Another small note is on first login the domain user will also get a home directory created in the directory - /home/local/domain_name/username

    I know the location of the automatically generated home directory can be changed if you want it saved on a bulk storage drive, I just can't remember right off the top of my head now how to do it.

    I think that covers it.

    That should be enough to get you started with easy connection of OMV to a Windows Active Directory domain, and have Samba working for pulling authentication for users from that domain, as well as managing group memberships.

    I hope this helps anyone trying to get OMV to play nice with Active Directory.

    References I used when I figured out these steps…bis-linux-admin-8-8-0.pdf…-administration-guide.pdf…ration:samba_ad_pbis_open…ghts-to-a-ad-domain-group…ticular-user-group-linux/