I’m new to RockStor and to this community.
I’m trying to setup the LDAP or AD Authentication services.
Possible to help me?
Thank you so much!
I’ve been using AD Authentication (DC on Samba 4, not WIN 
) over nas4free and found it easier on Rockstor
Those are my steps for AD Auth:
- Install Rockstor
- Setup NTP SERVER (it should be your AD DC or the same NTP server used by DC) - System -> Services -> NTP
- Setup Active Directory (System -> Services -> Active Directory Key) (IMPORTANT - Domain/Realm Name seems to have some problem with Domain only, got working for sure with realm - yourdomain.local or whatever it is)
- Insert your Administrator uname and pass
- Submit and it should be ok
- Reboot Rockstor to get Winbind correctly map users and password from domain (for @suman : instead of a reboot you should plan fixing by services reload - winbind smbd etc - remember to add an option to move from samba log level 3 to lower level, found it in smb conf)
- Your Rockstor now has joined AD and you can set groups/users for shares under access control)
BR
Mirko
2 Likes
Hello Flyer,
Thanks for your reply.
Does it need to be Administrator username or just a username from AD?
Usually, when I sync my servers to LDAP /AD I only use my own username and password in AD and it works.
Hi
When you join an AD you must fill username and pass fields with an AD Admin data
Example: my AD Admin is Administrator so i fill username with Administrator and his password
If you have multiple AD admins or if your user is an AD Admin too you can use it
Easy version: use the same account data you use to join a computer to the AD
Let me know
Mirko
Hello Mirko,
This is how I did it:
- I turned off everything. I only turned on NTP and AD.
- I set AD and used the username and password that I use when I joined my PC to the domain.
(I think, by company policy, my username can join up to 5 PCs in our domain) - ldmap range is set to default: 10000 - 999999
- Then I setup ntp.
- i rebooted the Rockstor
Looks all okay. Sometimes I get this error. BUt still I cannot see the users nor can log in using my AD credentials 
Can you show me how you add Domain/Realm name??
It shoud be domain.local or similar reflecting your domain
I just typed my domain name: (my.company.com) where it looks when I go to My Computer > Properties > System > Domain
There is no .local 
Where or how do I find that?
Ok, my “.local” was an example thinking about my office. - the realm seems to be right (do you join to company or my.company??!?!?)
Try to join using as username DOMAIN\your user
I configure active directory in Rockstor like:
Domain/Realm Name * : my.company.com (same what I found in My Computer > Properties > System > Domain)
Then I just key in my username and password.
But it still not working 
Ok, so I assume you’ve got Admin rights on the subdomain my and not on domain company.com, right??
Have you got any kind of veto for adding machines to sub?? (you told about 5 pc limit, maybe this)
M.
yes. i think so. its like that.
but i haven’t reached the 5 PCs yet.
Usually when I try to query our smtp server and sync ldap, I only use my account and it works fine on my open source systems
Wait, you use your account to query ldap and it’s ok, but is your account a domain admin / subdomain admin??? I know this seems a stupid question, but query to ldap doesn’t mean you have admin rights on domain
M.
I think my account has subdomain admin rights.
I mean, when I install and setup other open source systems, then I want users to use LDAP authentication than to individually sign up, I usually sync it to our LDAP. I configure the system using my account and password for LDAP authentication.
Uhmmm ok, from rockstor shell try net ads testjoin
what you get?? reading over net found that sometimes on centos you can get that error, but joined domain.
Try a reboot too and check for users / groups , if you joined you should see your AD groups and users
Hello Mirko,
Here is the result:
I already rebooted the server.
But still I cant see my AD users /groups.
Ok, let’s start with some cat from shell:
here is a part of my smb.con file (samba after join on AD), showing winbind and idmap to enumerate domain users and groups
[root@rockstone /]# cat /etc/samba/smb.conf
[global]
workgroup = SIVAG
log file = /var/log/samba/log.%m
security = ads
realm = sivag.local
template shell = /bin/sh
kerberos method = secrets and keytab
winbind use default domain = false
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = tdb
idmap config * : range = 1000000 - 1999999
idmap config SIVAG : backend = rid
idmap config SIVAG : range = 10000 - 999999
log level = 3
load printers = no
cups options = raw
printcap name = /dev/null
####BEGIN: Rockstor SAMBA CONFIG####
[Data]
comment =
path = /mnt2/Data
browseable = yes
read only = no
guest ok = yes
####END: Rockstor SAMBA CONFIG####
here getent group | grep domain just to list at least some domain groups and not to show local groups
[root@rockstone /]# getent group | grep domain SIVAG\enterprise read-only domain controllers:x:10498: <-- SIVAG\read-only domain controllers:x:10521: <-- SIVAG\domain controllers:x:10516: <-- SIVAG\domain computers:x:10515: <-- SIVAG\domain admins:x:10512: <-- SIVAG\domain guests:x:10514: <-- SIVAG\domain users:x:10513: <–
Same as group, but now with users from AD
[root@rockstone /]# getent passwd [OMISSIS - system users] SIVAG\marena:*:11143:10513:Mirko Arena:/home/SIVAG/marena:/bin/sh SIVAG\guest:*:10501:10514:Guest:/home/SIVAG/guest:/bin/sh
etc etc with other users from AD
Kerberos test
[root@rockstone /]# net ads user -U Administrator Enter Administrator's password: <- here i enter my password for Administrator (Domain Admin)
and get a list of all domain users (like getent but without DOMAIN\ shell info etc etc, just account names)
1 Like
Hi, excellent!!! i edit file /etc/samba/smb.conf
changed line idmap config SIVAG : backend = ad to idmap config SIVAG : backend = rid
after reboot i see users and group AD
Thank you!
1 Like