limetech

Active Directory integration #1 - Configuration

11 posts in this topic Last Reply

Recommended Posts

A bit of background: upcoming unRaid version 6, besides 64-bit support, includes Samba 4 which has the ability to be an Active Directory domain controller.  As a result I have been diving into AD/Samba integration, trying to understand what's going on "under the hood" so-to-speak.  The unRaid AD integration has been neglected and I apologize for that.  I first want to get any issues with unRaid 5 simply being a member in an AD domain before considering adding DC feature in unRaid 6.

 

Turns out, AD in unRaid 5.0 does work, but there is a quirk in getting it to join the first time (this along with any other issues we might discover in this thread will be fixed in unRaid 5).

 

My test environment:

 

"lt2k3" - "lime tech win2003 server" This is my AD domain controller machine.  The name of my domain is "ad.lime-technology.com".  The IP address of this server is 192.168.1.5.  This machine also syncs time with pool.ntp.org.

 

"test1" - the name of a test server running unRaid 5.0, configured as follows:

 

- Under 'Date & Time', I set up to use ntp syncing with pool.ntp.org.

 

- Under Network Settings, I have DNS Server 1 set to "192.168.1.5" in order to point to lt2k3.

 

- Under SMB settings, I followed this sequence:

1. Change "Enable SMB" to "Yes (Active Directory)".  Click Apply.  AD join status shows "Not joined".

2. Filled in

AD domain: ad.lime-technology.com

AD account login: Administrator  [which is the admin user on lt2k3]

AD account password: Password1 [password of Administrator user for test purposes]

Click Join

 

At this point "AD join status" shows "Joining" - This is the BUG.  "test1" shows up under Computers on the lt2k3 but you can't access any shares.  To fix this, in the section where it says "Enable SMB" where "Yes (Active Directory)" is shown, click that Apply button again (or Stop/Start array or reboot server - either of these actions will get it to join correctly).  After doing so, now "AD join status" should show "Joined" and you should be able to navigate a share via Network Places on the windows side.

 

If you have problems getting your server to join an AD domain, post in this thread.

 

For discussion of Permissions, see this thread.

Share this post


Link to post

With a bit of help from Tom at lime tech I can confirm that AD integration is working correctly! I will try to help get a step by step guide put together, but I dont want to take my server down being that it has been a month in the process!

 

Bill

Share this post


Link to post

Hi,

 

Just installed unRAID yesterday in order to test it with XBMC. it works like a charm !

 

I found this website by searching to AD Intergration for unRAID, so as you can see, I am VERY excited about this (yes, does'nt take me much)  LOL.

 

Anyway, here is my setup:

 

unraid (only in testing mode for now)

1 disk sharing folders in SMB and AFP

 

Windows 2008R2 Storage Server Essentials

Has 2 1.5Tb disk in a software  mirroring

AD integrated

 

AD server:

Windows 2008R2 standard.

 

All PC's are AD so I would like to setup unRAID in this AD integration also but when trying to setup SMB, the enable share only has "yes (workgroup)" option, as the "yes(Active Directory)" is greyed out.

 

Thanks and let me know when version 6 is out. Any idea when?

Share this post


Link to post

Hi,

 

Just installed unRAID yesterday in order to test it with XBMC. it works like a charm !

 

I found this website by searching to AD Intergration for unRAID, so as you can see, I am VERY excited about this (yes, does'nt take me much)  LOL.

 

Anyway, here is my setup:

 

unraid (only in testing mode for now)

1 disk sharing folders in SMB and AFP

 

Windows 2008R2 Storage Server Essentials

Has 2 1.5Tb disk in a software  mirroring

AD integrated

 

AD server:

Windows 2008R2 standard.

 

All PC's are AD so I would like to setup unRAID in this AD integration also but when trying to setup SMB, the enable share only has "yes (workgroup)" option, as the "yes(Active Directory)" is greyed out.

 

Thanks and let me know when version 6 is out. Any idea when?

At present AD integration feature is Pro only, though I could be talked into including in Plus  ;)

Note that turning on AD changes a few things:

- defined 'Users' are not relevant, at least for AD

- the SMB security modes (Public/Secure/Private) are not relevant

My recommendation, when using AD, don't use other protocols, such as AFP or NFS in the same server.

Share this post


Link to post

I am willing to give it a try, I am still looking for a NAS solution for my business. I would just hate to buy a licence and realize that Unraid doesn't comply 100% with AD.

 

Anyway to test that AD is fully functional with my servers (Windows 2003 and 2008) before buying licence keys? I need a NAS solution before year end.

 

Thanks.

Share this post


Link to post

My recommendation, when using AD, don't use other protocols, such as AFP or NFS in the same server.

 

So no Time Machine backups on an unRAID box with AD enabled?

Share this post


Link to post

My recommendation, when using AD, don't use other protocols, such as AFP or NFS in the same server.

 

So no Time Machine backups on an unRAID box with AD enabled?

When AD is enabled file and folder ownership, group ownership, permissions, and extended attributes are all under control of the Domain Controller (this is what AD is all about).  If you have a share exported via both SMB/AD and AFP, the Public/Secure/Private security modes for AFP will not work well with SMB/AD.  Supposedly it's possible to integrate OSX via AFP into an AD domain, but I have not looked into this (or OSX via SMB/AD).

 

If you want to use AFP in same server as SMB/AD, I would suggest partitioning the disks or at least the shares.  That is, have some shares that are SMB/AD, others that are AFP.  Probably should be doing this for Time Machine anyway.  If you follow this recommendation then there should be no problems.

Share this post


Link to post

Hi Tom,

 

I could not connect using your guide.

 

I did manage to connect after configuring some kerberos info.

 

I added krb5.conf to /etc/ and usied kinit to create a token and then it worked.

Ofcourse, krb5.conf did not stay after restart but it still connects...

 

I have also added some custom info to smb-extra.conf...

 

In all of my other linux systems (turnkey lamp, bitnami lamp) I was able to connect using special configuration to [global] and also to the share themselves.

 

TURNKEY info:

    Linux 3.2.0-4-amd64 x86_64

    Debian GNU/Linux 7.3 (wheezy)     

    SAMBA Version 3.6.6

 

BITNAMI info:

    Linux 3.2.0-58-virtual x86_64

    Ubuntu 12.04.4 LTS

    SAMBA Version 3.6.3

 

I usually define a winbind seperator (+) in [global] and then set the group in each share, e.g:

[sampleShare]

    path = /mnt/Movies

    valid users = @"MYDOMAIN+Domain Users"

    read only = no

    force group = "Domain Users"

    directory mode = 0770

    force directory mode = 0770

    create mode = 0660

    force create mode = 0660

    access based share enum = yes

    hide unreadable = yes

 

This works for me all the time.

 

However, this cant be done in unRaid since smb-shares.conf is built at runtime.

 

Can you please advise where is it built and how can I change the schema to see if this works well, if it does I will repost a guide.

 

Thanks.

 

 

Share this post


Link to post

After buying 2 PRO licences (even though I will never run more than 4 HD), I am able to remote desktop to the server from my PC.

Server software running: WINDOWS SERVER 2012

Unraid can ping the server through the console.

The time matches on both server within seconds.

 

AD join status: Not joined

AD domain name (FQDN): proper server domain name .ca entered

AD short domain name: short name entered

AD account login: administrator

AD account password: Correct password entered

 

I spent 3 hours trying many different permutations, I am still not able to connect to the active directory.

I did follow the 1st post to the letter but I don't seem to be able to connect.

What am I missing????

 

Another bug is that you need to deselect AD then Select it again before you do any changes or the change don't seem to be stored.

Log:

Mar 20 13:29:08 Tower avahi-daemon[12571]: Server startup complete. Host name is tower.local. Local service cookie is 302958446.
Mar 20 13:29:09 Tower avahi-daemon[12571]: Service "ATEQNAS" (/services/smb.service) successfully established.
Mar 20 13:29:13 Tower emhttp: shcmd (2525): /usr/bin/net ads join -U "administrator"%"*****" |& logger
Mar 20 13:29:14 Tower logger: Failed to join domain: failed to find DC for domain MyDomainName

Share this post


Link to post

I did follow the 1st post to the letter but I don't seem to be able to connect.

What am I missing????

Under Network Settings, "DNS Server 1" should be set to the IP address of your AD DNS server (usually same as the AD DC).  Do you have it set up like this?

 

Another bug is that you need to deselect AD then Select it again before you do any changes or the change don't seem to be stored.

Sorry this is a known issued fixed in 5.0.6

 

Share this post


Link to post

Is this still restricted to Pro? I am interested in using my FreeIPA setup to have authentication as a single sign on. Is this possible?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


Copyright © 2005-2018 Lime Technology, Inc.
unRAID® is a registered trademark of Lime Technology, Inc.