{"id":2268,"date":"2021-01-15T11:47:42","date_gmt":"2021-01-15T09:47:42","guid":{"rendered":"http:\/\/www.sfsoft.it\/blog\/?p=2268"},"modified":"2021-01-18T15:39:17","modified_gmt":"2021-01-18T13:39:17","slug":"openmediavault-5-e-active-directory","status":"publish","type":"post","link":"http:\/\/www.sfsoft.it\/blog\/2021\/01\/15\/openmediavault-5-e-active-directory\/","title":{"rendered":"OpenMediaVault 5 e Active Directory"},"content":{"rendered":"<p>Aggiornamento dell&#8217;articolo <a href=\"http:\/\/www.sfsoft.it\/blog\/2018\/07\/27\/openmediavault-e-active-directory\/\">OpenMediaVault e Active Directory<\/a><\/p>\n<p><a href=\"https:\/\/www.openmediavault.org\/\" target=\"_blank\" rel=\"noopener\">OpenMediaVault<\/a> \u00e8 una distribuzione Linux specifica per creare un server NAS, vediamo come associarla ad un dominio Active Directory per sfruttarne i permessi utente.<\/p>\n<p>Per ogni informazione aggiuntiva si rimanda al thread specifico sul forum <a href=\"https:\/\/forum.openmediavault.org\/index.php\/Thread\/17833-Active-Directory-LDAP-Revisited\/\" target=\"_blank\" rel=\"noopener\">Active Directory \/ LDAP Revisited<\/a>.<\/p>\n<ul>\n<li>Installare il sistema dalla ISO<\/li>\n<li>Aggiornare il sistema da shell tramite apt-get<\/li>\n<li>Riavviare<\/li>\n<li>Modificare <em>\/etc\/nsswitch.conf<\/em> e cambiare:\n<ul>\n<li>\n<pre class=\"lang:default decode:true\"># cambiare da\r\nhosts: files mdns4_minimal [NOTFOUND=return] dns\r\n# cambiare in\r\nhosts: files dns mdns4_minimal [NOTFOUND=return]<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Dalla GUI abilitare il servizio Samba con l&#8217;aggiunta in <em>Extra Options<\/em>:\n<ul>\n<li>\n<pre class=\"lang:default decode:true\">client signing = yes\r\nclient use spnego = yes\r\nkerberos method = secrets and keytab\r\npassword server = dc.domain.com\r\nrealm = DOMAIN.COM\r\nsecurity = ads<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Da shell creare ed eseguire lo script <em>ad-join.sh<\/em>:\n<ul>\n<li>\n<pre class=\"lang:default decode:true \">#!\/bin\/bash\r\n\r\napt-get update\r\napt-get dist-upgrade\r\n\r\n# This script should join Debian Jessie (8) to an Active Directory domain.\r\n# Adapted from a script here. http:\/\/www.alandmoore.com\/blog\/2015\/05\/06\/joining-debian-8-to-active-directory\/\r\n\r\nif ! $(sudo which sssd 2&gt;\/dev\/null); then\r\n    apt-get install krb5-user krb5-config sssd libpam-sss libnss-sss sssd-tools libsss-sudo libsasl2-modules-gssapi-mit\r\nfi\r\n\r\n# Get domain and user\r\n\r\necho \"Please enter the domain you wish to join: UPPER CASE?\"\r\nread DOMAIN\r\n\r\necho \"Please enter a domain admin login to use: \"\r\nread ADMIN\r\n\r\n# create \/sssd.conf\r\n\r\necho \"[sssd]\r\nservices = nss, pam, pac, ssh\r\nconfig_file_version = 2\r\ndomains = EXAMPLE.COM\r\n\r\n[domain\/EXAMPLE.COM]\r\nid_provider = ad\r\naccess_provider = ad\r\nauth_provider = ad\r\nchpass_provider = ad\r\n#ldap_schema = rfc2307bis\r\n#ldap_schema = ad\r\nldap_idmap_autorid_compat = True\r\n# Enumeration is discouraged for performance reasons.\r\n# OMV needs True to show users in ui and acl\r\nenumerate = True\r\n# timeout (integer)     #### The default value for this parameter is 10 seconds.\r\n# This get the users in range to show in UI and ACL\r\nldap_idmap_range_min = 20000\r\n# ldap_idmap_range_max = 60000    ### Does not seem to work \r\n#                                ### Causes not able to start\r\n# If unneeded users or other objects show.\r\n# Use \"dsquery user -name * \"  to see on windows with powershell\r\n#ldap_user_search_base = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=example,DC=com\r\n# ldap_user_search_base = CN=Users,DC=example,DC=com\r\n# Use this if users are being logged in at \/.  OMV does this. Otherwise not tested\r\n# This example specifies \/home\/DOMAIN-FQDN\/user as $HOME.  Use with pam_mkhomedir.so\r\n#override_homedir = \/home\/%u\r\n#ldap_user_email = email  # Could this fill the email field? might not be in this version\r\n#ldap_user_search_base = dc=example,dc=com\r\n#ldap_group_search_base = dc=example,dc=com\r\n#ldap_user_object_class = user\r\n#ldap_user_name = sAMAccountName\r\n#ldap_user_fullname = displayName                ### Seems to be maps to comment in OMV?\r\n#ldap_user_home_directory = unixHomeDirectory\r\n#ldap_user_principal = userPrincipalName\r\n#ldap_group_object_class = group\r\n#ldap_group_name = sAMAccountName                ### Seems to be maps to Name in OMV?\r\n# Unused options\r\n#ldap_idmap_default_domain = example.com\r\n#ldap_id_mapping = True\r\n#default_domain_suffix = example.com\r\n#ldap_access_order = expire\r\n#ldap_account_expire_policy = ad\r\n#ldap_force_upper_case_realm = true\r\n#ldap_user_search_base = dc=example,dc=com\r\n#ldap_group_search_base = dc=example,dc=com\r\n#ldap_user_object_class = user\r\n#ldap_user_name = sAMAccountName\r\n#ldap_user_fullname = displayName\r\n#ldap_user_home_directory = unixHomeDirectory\r\n#ldap_user_principal = userPrincipalName\r\n#ldap_group_object_class = group\r\n#ldap_group_name = sAMAccountName\r\n# ldap_id_mapping = True\r\n# Uncomment if the client machine hostname doesn't match the computer object on the DC.\r\n# ad_hostname = mymachine.EXAMPLE.com\r\n# Uncomment if DNS SRV resolution is not working\r\n# ad_server = dc.mydomain.example.com\r\n# Uncomment if the AD domain is named differently than the Samba domain\r\n# ad_domain = EXAMPLE.COM\r\n# filter_groups = \r\n# For other options see \"man sssd.conf\"\r\n# https:\/\/jhrozek.wordpress.com\/2015\/03\/11\/anatomy-of-sssd-user-lookup\/\" &gt; \/etc\/sssd\/sssd.conf\r\n\r\n# Fix permisions\r\n\r\nchmod 0600 \/etc\/sssd\/sssd.conf\r\n\r\nsed -i 's\/EXAMPLE.COM\/'\"$DOMAIN\"'\/g' \/etc\/sssd\/sssd.conf\r\n\r\n# TODO\r\n# Add test to see if $DOMAIN passes dns tests\r\n# Add test to see if $DOMAIN passes krb5.conf tests\r\n\r\necho \"If join fails please check \/etc\/nsswitch.conf and \/etc\/krb5.conf\"\r\n\r\n# Join domain\r\n\r\nkinit $ADMIN\r\nnet ads join -k<\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<li>Se l&#8217;associazione al dominio ha successo si ottiene un messaggio <em>Joined &#8216;OMV&#8217;<\/em><\/li>\n<li>Riavviare e poi dalla GUI creare una condivisione impostando i permessi con gli utenti\/gruppi di dominio<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Aggiornamento dell&#8217;articolo OpenMediaVault e Active Directory OpenMediaVault \u00e8 una distribuzione Linux specifica per creare un server NAS, vediamo come associarla ad un dominio Active Directory per sfruttarne i permessi utente. Per ogni informazione aggiuntiva si rimanda al thread specifico sul forum Active Directory \/ LDAP Revisited. Installare il sistema dalla ISO Aggiornare il sistema da [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,3],"tags":[83,16,8,278],"_links":{"self":[{"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/posts\/2268"}],"collection":[{"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/comments?post=2268"}],"version-history":[{"count":3,"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/posts\/2268\/revisions"}],"predecessor-version":[{"id":2278,"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/posts\/2268\/revisions\/2278"}],"wp:attachment":[{"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/media?parent=2268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/categories?post=2268"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.sfsoft.it\/blog\/wp-json\/wp\/v2\/tags?post=2268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}