OpenMediaVault e Active Directory

Date 27 luglio 2018 Author By SFSoft Category HowTo, Linux

OpenMediaVault è una distribuzione Linux specifica per creare un server NAS, vediamo come associarla ad un dominio Active Directory per sfruttarne i permessi utente.

Per ogni informazione aggiuntiva si rimanda al thread specifico sul forum Active Directory / LDAP Revisited.

• Installare il sistema dalla ISO
• Aggiornare il sistema da shell tramite apt-get
• Riavviare
• Modificare /etc/nsswitch.conf e cambiare:
  • # cambiare da hosts: files mdns4_minimal [NOTFOUND=return] dns # cambiare in hosts: files dns mdns4_minimal [NOTFOUND=return]

    1 2 3 4

    # cambiare da hosts: files mdns4_minimal [NOTFOUND=return] dns # cambiare in hosts: files dns mdns4_minimal [NOTFOUND=return]

• Dalla GUI abilitare il servizio Samba con l’aggiunta in Extra Options:
  • client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = dc.domain.com realm = DOMAIN.COM security = ads

    1 2 3 4 5 6

    client signing = yes client use spnego = yes kerberos method = secrets and keytab password server = dc.domain.com realm = DOMAIN.COM security = ads

• Da shell creare ed eseguire lo script ad-join.sh:
  • #!/bin/bash apt-get update apt-get dist-upgrade # This script should join Debian Jessie (8) to an Active Directory domain. # Adapted from a script here. http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-directory/ if ! $(sudo which sssd 2>/dev/null); then apt-get install krb5-user krb5-config sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit fi # Get domain and user echo "Please enter the domain you wish to join: UPPER CASE?" read DOMAIN echo "Please enter a domain admin login to use: " read ADMIN # create /sssd.conf echo "[sssd] services = nss, pam, pac, ssh config_file_version = 2 domains = EXAMPLE.COM [domain/EXAMPLE.COM] id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad #ldap_schema = rfc2307bis #ldap_schema = ad ldap_idmap_autorid_compat = True # Enumeration is discouraged for performance reasons. # OMV needs True to show users in ui and acl enumerate = True # timeout (integer) #### The default value for this parameter is 10 seconds. # This get the users in range to show in UI and ACL ldap_idmap_range_min = 20000 # ldap_idmap_range_max = 60000 ### Does not seem to work # ### Causes not able to start # If unneeded users or other objects show. # Use "dsquery user -name * " to see on windows with powershell #ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com # ldap_user_search_base = CN=Users,DC=example,DC=com # Use this if users are being logged in at /. OMV does this. Otherwise not tested # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so #override_homedir = /home/%u #ldap_user_email = email # Could this fill the email field? might not be in this version #ldap_user_search_base = dc=example,dc=com #ldap_group_search_base = dc=example,dc=com #ldap_user_object_class = user #ldap_user_name = sAMAccountName #ldap_user_fullname = displayName ### Seems to be maps to comment in OMV? #ldap_user_home_directory = unixHomeDirectory #ldap_user_principal = userPrincipalName #ldap_group_object_class = group #ldap_group_name = sAMAccountName ### Seems to be maps to Name in OMV? # Unused options #ldap_idmap_default_domain = example.com #ldap_id_mapping = True #default_domain_suffix = example.com #ldap_access_order = expire #ldap_account_expire_policy = ad #ldap_force_upper_case_realm = true #ldap_user_search_base = dc=example,dc=com #ldap_group_search_base = dc=example,dc=com #ldap_user_object_class = user #ldap_user_name = sAMAccountName #ldap_user_fullname = displayName #ldap_user_home_directory = unixHomeDirectory #ldap_user_principal = userPrincipalName #ldap_group_object_class = group #ldap_group_name = sAMAccountName # ldap_id_mapping = True # Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostname = mymachine.EXAMPLE.com # Uncomment if DNS SRV resolution is not working # ad_server = dc.mydomain.example.com # Uncomment if the AD domain is named differently than the Samba domain # ad_domain = EXAMPLE.COM # filter_groups = # For other options see "man sssd.conf" # https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/" > /etc/sssd/sssd.conf # Fix permisions chmod 0600 /etc/sssd/sssd.conf sed -i 's/EXAMPLE.COM/'"$DOMAIN"'/g' /etc/sssd/sssd.conf # TODO # Add test to see if $DOMAIN passes dns tests # Add test to see if $DOMAIN passes krb5.conf tests echo "If join fails please check /etc/nsswitch.conf and /etc/krb5.conf" # Join domain kinit $ADMIN net ads join -k

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103

    #!/bin/bash   apt-get update apt-get dist-upgrade   # This script should join Debian Jessie (8) to an Active Directory domain. # Adapted from a script here. http://www.alandmoore.com/blog/2015/05/06/joining-debian-8-to-active-directory/   if ! $(sudo which sssd 2>/dev/null); then     apt-get install krb5-user krb5-config sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit fi   # Get domain and user   echo "Please enter the domain you wish to join: UPPER CASE?" read DOMAIN   echo "Please enter a domain admin login to use: " read ADMIN   # create /sssd.conf   echo "[sssd] services = nss, pam, pac, ssh config_file_version = 2 domains = EXAMPLE.COM   [domain/EXAMPLE.COM] id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad #ldap_schema = rfc2307bis #ldap_schema = ad ldap_idmap_autorid_compat = True # Enumeration is discouraged for performance reasons. # OMV needs True to show users in ui and acl enumerate = True # timeout (integer)     #### The default value for this parameter is 10 seconds. # This get the users in range to show in UI and ACL ldap_idmap_range_min = 20000 # ldap_idmap_range_max = 60000    ### Does not seem to work #                                ### Causes not able to start # If unneeded users or other objects show. # Use "dsquery user -name * "  to see on windows with powershell #ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com # ldap_user_search_base = CN=Users,DC=example,DC=com # Use this if users are being logged in at /.  OMV does this. Otherwise not tested # This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so #override_homedir = /home/%u #ldap_user_email = email  # Could this fill the email field? might not be in this version #ldap_user_search_base = dc=example,dc=com #ldap_group_search_base = dc=example,dc=com #ldap_user_object_class = user #ldap_user_name = sAMAccountName #ldap_user_fullname = displayName                ### Seems to be maps to comment in OMV? #ldap_user_home_directory = unixHomeDirectory #ldap_user_principal = userPrincipalName #ldap_group_object_class = group #ldap_group_name = sAMAccountName                ### Seems to be maps to Name in OMV? # Unused options #ldap_idmap_default_domain = example.com #ldap_id_mapping = True #default_domain_suffix = example.com #ldap_access_order = expire #ldap_account_expire_policy = ad #ldap_force_upper_case_realm = true #ldap_user_search_base = dc=example,dc=com #ldap_group_search_base = dc=example,dc=com #ldap_user_object_class = user #ldap_user_name = sAMAccountName #ldap_user_fullname = displayName #ldap_user_home_directory = unixHomeDirectory #ldap_user_principal = userPrincipalName #ldap_group_object_class = group #ldap_group_name = sAMAccountName # ldap_id_mapping = True # Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostname = mymachine.EXAMPLE.com # Uncomment if DNS SRV resolution is not working # ad_server = dc.mydomain.example.com # Uncomment if the AD domain is named differently than the Samba domain # ad_domain = EXAMPLE.COM # filter_groups = # For other options see "man sssd.conf" # https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/" > /etc/sssd/sssd.conf   # Fix permisions   chmod 0600 /etc/sssd/sssd.conf   sed -i 's/EXAMPLE.COM/'"$DOMAIN"'/g' /etc/sssd/sssd.conf   # TODO # Add test to see if $DOMAIN passes dns tests # Add test to see if $DOMAIN passes krb5.conf tests   echo "If join fails please check /etc/nsswitch.conf and /etc/krb5.conf"   # Join domain   kinit $ADMIN net ads join -k

• Se l’associazione al dominio ha successo si ottiene un messaggio Joined ‘OMV’
• Riavviare e poi dalla GUI creare una condivisione impostando i permessi con gli utenti/gruppi di dominio

Tag:active directory, howto, linux, openmediavault