Hi,
We have to validate OpenMediaVault integration on a domain managed by Univention.
The need is to made some SMB shares on OpenMediaVault using ActiveDirectory accounts or groups.
Which is better ? Using LDAP or Kerberos ?
We are trying LDAP, but we can’t connect using LDAP (seems to be certificate problem).
How can we connect OpenMediaVault solution to Univention securly with access to users/groups ?
Thanks
Regards,
Hi,
just an idea: UCS doesn’t uses the standard LDAP ports.
Could this cause the problem with the LDAP connection?
Regards,
Ben
I’ve just connected successfully with ldapsearch command.
Using port 7389 without encryption.
Why can’t we use encryption ?
I’m doing some test with port 7389, but I prefer using encryption…
Regards,
Not usable…
Found this ticket without solution : LDAP Connection Issue
Which sharing files server is really compatible with Univention ?
File smust be placed on another server than UCS…
Other point : I’m testing print server on UCS too.
Using Manual upload of printer drivers, this didn’t work.
Command rpcclient adddriver return NT_STATUS_LOGON_FAILURE, running this as root or as an admin account.
Have you some idea ?
Is your product really stable ? Would you really like to sell it ?
I’ve added a secondary UCS to the domain and add a share on it. But the share hasn’t been created and is not visible on the network.
This is a basic functionnality. Please send to me a complete procedure for that.
FYI adding secondary server wasn’t so easy : I need to install my own certificate because UCS refuse the auto certificate generated by UCS installer !!
I need all working well on tomorow to sell this.
Regards,
Good Evening dedisoft,
you can create shares with FreeNAS and there are some hints in the forum. For secure connections you need to import the UCS-CAcert to FreeNAS. I would suppose that it is the same with OMV, although I can’t tell you about the GUI because it’s some time I didn’t look into it.
But there sure are more possibilities.
Best, Bernd
What do you mean by ‘secondary UCS’? What server-role did you choose?
To create shares it would be standard if you install a domain-master and a member-server for the shares (if you don’t want the shares to be on the domain master).
Hi,
Yes it’s a member server (I’ve already found the information before testing).
So from the UCS primary AS, creating share on member server didn’t work, and fom the member server there is no interface to create shares.
FYI, I’ve removed the member server VM who acts as file server.
I’ve recreated it using your VMware image.
During installation, member server role has been selected. Error during join : my login isn’t recognize so 26univention-nagios-common is still pending.
I’ve create a share on primary hosted by member server : no share visible.
Why error occurs on fresh install ?
Is there any step missing during share creation ?
The workflow is intended to work from the UCS master server as there are all the domain services available in the menu.
Following your questions and remarks there was some problem joining the member server to the domain master?!
So the question is:
is the member server joined to the domain master?
Did all the join scripts succed?
Is samba fileserver installed on member server?
(As it is important that the member server has certificates from the domain master, I would probably reinstall everything, starting with the domain master.)
is the member server joined to the domain master?
As I said, I’ve made a new refresh install of file server : “During installation, member server role has been selected. Error during join : my login isn’t recognize so 26univention-nagios-common is still pending.”
Did all the join scripts succed?
Not see above
Is samba fileserver installed on member server?
What did you mean ? Must I install samba package manually with SSH / package management or must I install “Windows-compatible Memberserver” ?
Newer test with administrator account rather than my admin account :
is the member server joined to the domain master?
Yes !
Did all the join scripts succed?
Yes !
But no share created when trying adding a new share…
Is samba fileserver installed on member server?
samba-common is installed but not samba, I will try to install it myself using your package manager (why this package isn’t already installed ?).
samba installed, but share not visible.
Am I missing something ??
Hi,
you have to install “Windows-compatible Memberserver” from AppCenter at your UCS Member-Server. The installation will not do it automatic because of that you can use this server role for many other options. It’s not only a Samba Member Server.
Please look into the documentation for further information about UCS LDAP, roles and shares. Most of your questions are already answers by the documentation.
If you need specific help in understanding some points which are not clearified by the documentation, get back and open a new topic for this.
Kind regards,
Tobi
Hi dedisoft,
let me try to sort the various things mentioned in this Thread.
OpenMediaVault Integration
I’d recommend to follow the documented steps for an Active Directory Integration. Prerequisites on UCS are:
– install UCS as Domain Controller Master (“first UCS System in the Domain”)
– install the “Active Directory compatible Domain Controller” App using the App Center in the UCS Web Interface (see also https://www.univention.com/products/univention-app-center/app-catalog/samba4/)
– configure OpenMediaVault to use the UCS Server for DNS and NTP (Name resolution and desynchronized clocks are the main reasons for problems with Kerberos/AD)
– follow the OpenMediaVault documentation, first link I found was: https://forum.openmediavault.org/index.php/Thread/18886-Guide-how-to-join-OpenMediaVault-3-x-in-an-Active-Directory-domain/
I’m no export for OpenMediaVault, in case there are problems please come back with meaningfull descriptions and logfiles.
Second UCS system
Needed steps here are:
– have a working UCS Domaincontroller Master
– strong recommendation to not touch the SSL certificate chain during your first tests, in case you modified things I’d recommend a fresh installation (SSL and the certificate chain is used for many services like LDAP, HTTP and Univention Listener/Notifier, in case the certificate chain isn’t modified on all UCS instances in the same way the management system will stop working)
– install a secondary server, for file services I’d also recommend a “Member”, use the UCS Domaincontroller Master for DNS
– use the App Center to install the “Windows-compatible Memberserver” which brings Fileservices (sse also https://www.univention.com/products/univention-app-center/app-catalog/samba-memberserver/)
– use the Web interface on the UCS Domaincontroller Master to register the File Share (Module “Shares” in the “Domain” section), please ensure to select the correct server in the “host” drop down
In case you still run in trouble please check the logs on the memberserver instance, for the management system you should check both syslog and /var/log/univention/listener.log.
Regards
Ingo
Ok I try this and reply
Fresh reinstall of all VM
No modification made in primary UCS server.
Joining the domain with an additional member server UCS failed : 26univention-nagios-common (binddn for user administrator not found).
…
slapd hasn’t been installed by installer, another bug !
Installed manually, join seems to be ok, I continue my tests…
Yes !!!
Share has been created.
Now why my logged in user (on the domain) can’t open the share ??
Share is define with owner administrator, and group authenticated users.
permissions are full for owner and group.
Don’t understand why access is refused…
My logged in user is domain admins group member !