donh,
Would it be better if I create a new thread with my posts combined and also referring this thread to have more chances of someone seeing it regarding my couple of questions? By the way, I totally understand you not having much time, it is ok, it is already nice that you took the time to share your procedure with OMV6.
Beiträge von ZJohnAsZ
-
-
donh
Ok, thank you. I will try to find infos on other threads. Yours came first when I was searching the web. I found it was the most detailed when based on omv. I joined other debian/ubuntu machines to domains, but never with the omv on top of debian. I could probably modify the omv script which generates the command or whatever does, but after if I update it would probably reset those modifications. It really is just about the command taking the username/groupname literally instead of adding another one "\". -
My Testing Setup:
Server: Proxmox VE
VM with Windows Server 2022 as AD DC.
VM with OMV 7.4.7-1, Kernel: Linux 6.8.12-1-pveI did use the Web-UI to set the Linux Basic Permissions and ACLs. I used the ACL button when you select a Shared Folder like in the image I provided in my second post.
I have a question regarding this parameter:
winbind use default domain = YesI wanted to set it to NO because it would've made more sense for me to have users and groups from the domain to show as EXAMPLE\username and EXAMPLE\groupname. The Web-UI though bugs, when I do that because the commands that are generated don't take into account that there should be "\\" instead of only "\" to not escape the character. What would be the easiest way to fix this issue without altering too much to not have problems later on updating OMV and having to redo the fix?
-
QUESTION 4 Regarding SAMBA behaviors when controlling access to shares with SAMBA.
=I have 2 domain groups: files-admins (rwx), files-users (rx)
=I have a share called apps$.
I did not touch the Permissions section for the shared folder but only the ACL one.Since I want to keep some local control when I am connecting with a sudo user or root with ssh, or also when connecting to the web-ui with admin capable users, I think I should set owner:root (rwx). Then I set the group:files-admins (rwx) which is a domain group. Because I plan on giving access guest access (requiring no password), I set others (rx).
Linux Basic Permissions
owner:root (rwx)
group:files-admins (rwx)
others (rx)
ACL
group:files-users(rx)
I thought that by controlling the permissions like this I could achieve what I wanted without having to rely on samba parameters like valid users, write list, read list, but it's like samba only sees the basic permissions I set and not the ACL at all.
What I mean is that if I use valid users: files-users it gives RWX to files-users group and then I have to limit it using read list. If I don't use valid users at all, then files-users group ACL setup is not seen at all. Only the other:rx is considered to give access. Why?
I came up with this to achieve what I wanted, but I think there is probably something I am missing in the way to setup samba parameters to have it rely on Linux Basic Permissions + ACL without having to rely on samba access control. Is there?
[global]
disable spoolss = Yes
dns proxy = No
guest account = guest
kerberos method = secrets and keytab
load printers = No
log file = /var/log/samba/log.%m
logging = syslog
map to guest = Bad User
max log size = 1000
multicast dns register = No
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
printcap name = /dev/null
realm = EXAMPLE.INT
security = ADS
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns, winbind
server string = %h server
socket options = TCP_NODELAY IPTOS_LOWDELAY
winbind cache time = 60
winbind enum groups = Yes
winbind enum users = Yes
winbind expand groups = 2
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = EXAMPLE
idmap config example : range = 10000-9999999
idmap config example : backend = rid
idmap config * : range = 3000-7999
fruit:nfs_aces = no
fruit:copyfile = yes
fruit:aapl = yes
idmap config * : backend = tdb
create mask = 0777
directory mask = 0777
printing = bsd
use sendfile = Yes
[apps$]
create mask = 0775
directory mask = 0775
force create mode = 0775
force directory mode = 0775
force group = files-admins
force user = root
guest ok = Yes
hide dot files = No
hide special files = Yes
inherit acls = Yes
inherit permissions = Yes
map acl inherit = Yes
path = /srv/mergerfs/60tb/apps/
read list = @files-users guest
read only = No
valid users = @files-admins @files-users guest
vfs objects = acl_xattr
write list = @files-admins
-
Hi,
Thank you for the TUTO!Also thank's to everyone who contributed to this Thread, it helped me greatly to understand what I had to do. I can see the users and groups of my example.int domain in omv web-ui and also using getent.
My Testing Setup:
Server: Proxmox VE
VM with Windows Server 2022 as AD DC.
VM with OMV 7.4.7-1, Kernel: Linux 6.8.12-1-pveThis is the order I came up with going through the Thread and reading documentation.
*SSH as root to the OMV machine
-apt update
-apt dist-upgrade
-reboot
*In OMV Web-UI.
- System > Date & Time > Use NTP Server checked
- System > Date & Time > Time Servers: dc1.example.int (domain time server, setup on Windows Server 2022 VM)
- System > Date & Time > Time zone: Canada/Eastern (same as domain time server)
*SSH as root to the OMV machine again
-apt install realmd policykit-1
-realm discover example.int (test if domain can be reach)
-apt install sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin packagekit-tools
-before joining the realm (domain), micro /etc/krb5.conf
[libdefaults]
# Default realm to use if a realm isn't explicitly specified
# This is the Kerberos realm that will be used by default
default_realm = EXAMPLE.INT
# Specifies whether DNS should be used to find the realm of the KDC
# Setting this to false means that realm names will not be looked up in DNS
dns_lookup_realm = false
# Specifies whether DNS should be used to find the KDC
# Setting this to true means that KDC addresses can be looked up in DNS
dns_lookup_kdc = true
# This setting determines the size threshold, in bytes, at which Kerberos will
# prefer to use TCP instead of UDP for communications.
# When set to 0, it effectively disables the use of UDP entirely.
udp_preference_limit = 0
[realms]
# Configuration for the realm EXAMPLE.INT
EXAMPLE.INT = {
# The address of the Key Distribution Center (KDC) for this realm
# The KDC is responsible for authenticating users and issuing Kerberos tickets
kdc = dc1.example.int
# The address of the administrative server for this realm
# This server handles administrative requests like password changes
admin_server = dc1.example.int
}
[domain_realm]
# Maps domain names to Kerberos realms
# Any principal with a domain ending in .example.int will use the EXAMPLE.INT realm
.example.int = EXAMPLE.INT
# Maps the non-FQDN domain name to the Kerberos realm
# Any principal with a domain of example.int will use the EXAMPLE.INT realm
example.int = EXAMPLE.INT
-realm join example.int -U donadmin (join the domain, sssd.conf auto-generated)
-systemctl status sssd (Should report "Active: active (running)")
-apt install libsss-simpleifp0 libsss-sudo
-sssctl domain-list (Should show your domain)
-id donadmin@example.com (Should show info about user)
-sssctl domain-status example.int *QUESTION 1: why my dc is not showing as AD Global Catalog?*
Online status: Online
Active servers:
AD Global Catalog: dc1.example.int
AD Domain Controller: dc1.example.int
Discovered AD Global Catalog servers:
- dc1.example.int
Discovered AD Domain Controller servers:
- dc1.example.int
Online status: Online
Active servers:
AD Global Catalog: not connected
AD Domain Controller: dc1.example.int
Discovered AD Global Catalog servers:
None so far.
Discovered AD Domain Controller servers:
- dc1.example.int
*In the OMV Web-UI.
-Before integrating Samba with the domain go to Services > SMB/CIFS > Settings > Extra options and add smb.conf [global] parameters.
# Enable the winbind service, which allows the system to query AD for users and groups
server services = +winbind
# Set security mode to use Active Directory (ADS)
security = ads
# Define the Kerberos realm, which should match your AD domain
realm = EXAMPLE.INT
# Use both the secrets database and keytab file for Kerberos authentication
kerberos method = secrets and keytab
# Winbind configuration to allow user and group enumeration
winbind enum users = yes # List domain users on the system
winbind enum groups = yes # List domain groups on the system
# Expand groups two levels deep for nested groups
winbind expand groups = 2
# Automatically refresh Kerberos tickets for domain users
winbind refresh tickets = yes
# Allow users to log in without specifying the domain name (e.g., just "username" instead of "ASTRO\username")
winbind use default domain = yes
# Cache user and group information for 60 seconds before querying AD again
winbind cache time = 60
# Allow users to log in even if the system is offline (credentials are cached)
winbind offline logon = yes
# Define ID mapping for local users/groups
idmap config * : backend = tdb # Use tdb database for local user/group mapping
idmap config * : range = 3000-7999 # Reserve UIDs/GIDs 3000-7999 for local users/groups
# Define ID mapping for AD users/groups
idmap config EXAMPLE : backend = rid # Use RID-based mapping for AD users/groups
idmap config EXAMPLE : range = 10000-9999999 # Map AD users/groups to UIDs/GIDs in the range 10000-9999999
-apt install winbind libsss-sudo libnss-winbind libpam-winbind libwbclient0-micro /etc/nsswitch.conf (removed sss and added winbind besides systemd from on passwd and group lines)
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files systemd sss
gshadow: files systemd
hosts: files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
sudoers: files sss
-net ads join -U administrator (sssd.conf could be modified)
net ads join -U administrator
- Purpose: This command joins a machine to an Active Directory (AD) domain using Kerberos authentication. Since modern Active Directory uses the ADS (Active Directory Security) protocol for authentication, this is the correct choice when integrating with an AD domain.
- Reason: Active Directory (AD) environments in 2024 typically use Kerberos for secure authentication and directory services. The
net ads join
command works with the security settingsecurity = ads
, which is now the standard for joining machines to AD.
net rpc join -U administrator
- Purpose: This command is used to join a machine to an NT4-style domain using the older NTLM (NT LAN Manager) protocol.
- Reason not to use: NT4-style domains are outdated and have been largely replaced by Active Directory in modern environments. The NTLM protocol is less secure than Kerberos, and most organizations no longer use it for domain authentication.
-micro /etc/sssd/sssd.conf *QUESTION 2 and 3*
[sssd]
# Specifies the configuration file version. Ensure it matches the SSSD version in use.
config_file_version = 2
# Lists the domains that SSSD will handle. This should match the domain section defined below.
domains = example.int
[domain/example.int]
default_shell = /bin/bash
# Allows Kerberos passwords to be stored locally when the system is offline.
krb5_store_password_if_offline = True
# Enables caching of credentials, allowing users to log in when the domain controller is unavailable.
cache_credentials = True
# Sets the Kerberos realm, typically the uppercase version of your domain.
krb5_realm = EXAMPLE.INT
# Tags used by realmd to describe the system's management state and how it was joined to the domain.
# 'manages-system' indicates the domain manages the system's identity and authentication settings.
# 'joined-with-adcli' shows that Realmd tools (realm join) were used to join the domain.
# 'joined-with-samba' shows that Samba tools (net ads join) were used to join the domain.
realmd_tags = manages-system joined-with-samba joined-with-adcli
# Sets the identity provider to Active Directory. This ensures user and group information
# is fetched directly from AD, integrating domain accounts with the system.
id_provider = ad
# Defines the default home directory template for users.
fallback_homedir = /home/%u@%d
# Specifies the Active Directory (AD) domain name, used for user and group lookups.
ad_domain = example.int
# When this option is set to True, SSSD will use fully qualified domain names (FQDNs) for user names.
use_fully_qualified_names = True
# Enables LDAP ID mapping to translate AD user and group SIDs to Unix UIDs and GIDs.
# Helps avoid conflicts and ensures consistent ID mappings across systems.
ldap_id_mapping = True
# Controls access permissions based on AD group policies and settings.
# By setting this to AD, you can control access using AD security group memberships.
access_provider = ad
# Optional: Specifies the AD Global Catalog domain if using global catalog for queries.
ad_gcid_domain = example.int
-net join -U administrator (don't ask me why, but after doing the sssd.conf file, I do this command again)
-reboot
Though I have some questions about some behaviors I noticed.
QUESTION 1: Why my dc is not showing as AD Global Catalog?
QUESTION 2: Should I use both tags: joined-with-samba, joined-with-adcli or only one, or use the realmd_tags parameter at all in sssd.conf?
QUESTION 3: ad_gcid_domain = example.int Still, even with this option, my dc1.example.int is not seen as AD Global Catalog when I use the sssctl domain-status example.int command. Why? -
Well, deactivating the Serial port didn't do the trick.
In the end I did copy one HDD to the other using GParted within Partition Magic. I had to shrink the main partition because one disk was bigger than the other.
I love how any install of linux is not hooked to the system it's installed on.
I still wonder what could cause this black screen, anyone has an idea? -
I just found something about disabling the COM ports in BIOS that could solve the issue.
I will try it when I get home later and tell you if it does the trick.
Anyway I will have it fixed with your solution. -
I guess it's a workaround, because other than that problem the PC could still load the old OMV installation on the ssd. This before I erased the partitions used PartedMagic.
Not sure why I didn't think of it before lol.
It might also be lazyness. Opening 2 cases to move the BD Rom and SSD.
Though, I'm still curious about what could cause this... -
Hi,
I'm not sure to understand what's going on. I Power up the machine, it boots on the DVD then I select install and afterwards everything goes black.
I already made an installation on the same gears with no problem at all. I tested the DVD on another machine and it's fine.
I erased everything on the ssd thinking it could be the multiple partitions giving trouble to the OMV setup to start with no success.
I reseted my BIOS settings to default without success too.
Like I said, I don't understand why I would get a black screen now and didn't have one before when I installed with an older OMV version.
I even tried installing an older OMV version I had on DVD with the same problem occuring.
Did anyone experience this?Thank you!
-
Hi,
I just want to say thank you for this command!
I modified it to keep bcd only since the a wasn't par of my RAID5.
I don't know why but after I moved one of the 2 RAID5s I had in my machine to a new build, OMV wouldn't detect my 3 HDDs as a RAID5 anymore.
I will keep this one in my book in case it happens to me again. -
So, it should be corrected soon? It means everyone would experience it ?
I guess I will just wait and setup a VPN on my ddwrt router instead. -
I'm talking about the certificate tab in the plugin.
-
Error when I try to add or delete a certificate:
Code
Alles anzeigenError #4000: exception 'OMVException' with message 'Failed to execute command 'omv-mkconf openvpn add a0172869-dd7c-4e2f-b30c-cddd24b20253 2>&1': /usr/share/openmediavault/mkconf/openvpn: line 407: cd: /etc/openvpn/easy-rsa/2.0/: No such file or directory' in /usr/share/openmediavault/engined/rpc/openvpn.inc:343 Stack trace: #0 [internal function]: OMVRpcServiceOpenVpn->set(Array, Array) #1 /usr/share/php/openmediavault/rpcservice.inc(125): call_user_func_array(Array, Array) #2 /usr/share/php/openmediavault/rpc.inc(79): OMVRpcServiceAbstract->callMethod('set', Array, Array) #3 /usr/sbin/omv-engined(500): OMVRpc::exec('OpenVpn', 'set', Array, Array, 1) #4 {main}
-
Hi,
I installed the plugin without experiencing any problem, but once I try to create a certificate I get an error message.
I have 2 boxes available: in the 1st on I select the user and then I can name it.
I then click to accept, get an error message, but still, the certificate appears in the list.
When I try to delete that certificate, I get another error, but it doesn't disappear from the list. It only does when I uninstall OPENVPN.I tried uninstalling and reinstalling OPENVPN, but get the same errors.
Anyone experienced it? My OMV setup is a fresh install...
I am not at home now, but I will post the exact message that I get when I get there later.
Thank You!
-
Haha!
I'm just used to see it this way when downloading programs and stuff. -
Ok, thank you! Since 1.13 is the latest version I bet that the ISO available is 1.09.
-
I kind of have the same question but regarding the download section to set up a server from a fresh install. I don't want to start a new thread for nothing because it might only be a way that things are dealt with that I'm not used to.
The OMV that is available on SourceForge is called "openmediavault_1.9_amd64". Is it the correct version? Should it be "openmediavault_1.13_amd64" or "openmediavault_1.09_amd64" that I install and then update to the 1.13.
Thank you
-
Thank's to everyone! I will be moving it today! Wish me good luck!
-
It's that simple? I only have to clone the HDD and move it to the new machine?
There won't be any driver issues or anything like that?
Well, thank you! My long time use of microsoft products has alienated me. -
Hi,
This is my first time doing something like this and I am not sure where to begin.1. I want to move my omv configuration from my actual server to the new one. (Not the same HDD)
2. I want to move my 2 sets of RAID5 data disks from the old machine to the new one. (same HDDs)How can I do that so that I don't lose any of my data and configuration?
I searched the forum, but could not really find a thread covering this particular case. The only infos I found were about how to swap the main system HDD in a machine.Thank you!