AD /LDAP Authentication

I’m new to RockStor and to this community.
I’m trying to setup the LDAP or AD Authentication services.
Possible to help me?

Thank you so much!

I’ve been using AD Authentication (DC on Samba 4, not WIN :slight_smile: ) over nas4free and found it easier on Rockstor

Those are my steps for AD Auth:

  1. Install Rockstor
  2. Setup NTP SERVER (it should be your AD DC or the same NTP server used by DC) - System -> Services -> NTP
  3. Setup Active Directory (System -> Services -> Active Directory Key) (IMPORTANT - Domain/Realm Name seems to have some problem with Domain only, got working for sure with realm - yourdomain.local or whatever it is)
  4. Insert your Administrator uname and pass
  5. Submit and it should be ok
  6. Reboot Rockstor to get Winbind correctly map users and password from domain (for @suman : instead of a reboot you should plan fixing by services reload - winbind smbd etc - remember to add an option to move from samba log level 3 to lower level, found it in smb conf)
  7. Your Rockstor now has joined AD and you can set groups/users for shares under access control)



Hello Flyer,
Thanks for your reply.
Does it need to be Administrator username or just a username from AD?
Usually, when I sync my servers to LDAP /AD I only use my own username and password in AD and it works.

Hi :slight_smile:

When you join an AD you must fill username and pass fields with an AD Admin data
Example: my AD Admin is Administrator so i fill username with Administrator and his password

If you have multiple AD admins or if your user is an AD Admin too you can use it

Easy version: use the same account data you use to join a computer to the AD

Let me know


Hello Mirko,

This is how I did it:

  1. I turned off everything. I only turned on NTP and AD.
  2. I set AD and used the username and password that I use when I joined my PC to the domain.
    (I think, by company policy, my username can join up to 5 PCs in our domain)
  3. ldmap range is set to default: 10000 - 999999
  4. Then I setup ntp.
  5. i rebooted the Rockstor

Looks all okay. Sometimes I get this error. BUt still I cannot see the users nor can log in using my AD credentials :confused:

Can you show me how you add Domain/Realm name??
It shoud be domain.local or similar reflecting your domain

I just typed my domain name: ( where it looks when I go to My Computer > Properties > System > Domain
There is no .local :disappointed_relieved:
Where or how do I find that?

Ok, my “.local” was an example thinking about my office. - the realm seems to be right (do you join to company or!?!?)

Try to join using as username DOMAIN\your user

I configure active directory in Rockstor like:

Domain/Realm Name * : (same what I found in My Computer > Properties > System > Domain)
Then I just key in my username and password.

But it still not working :weary:

Ok, so I assume you’ve got Admin rights on the subdomain my and not on domain, right??

Have you got any kind of veto for adding machines to sub?? (you told about 5 pc limit, maybe this)


yes. i think so. its like that.
but i haven’t reached the 5 PCs yet.

Usually when I try to query our smtp server and sync ldap, I only use my account and it works fine on my open source systems

Wait, you use your account to query ldap and it’s ok, but is your account a domain admin / subdomain admin??? I know this seems a stupid question, but query to ldap doesn’t mean you have admin rights on domain


I think my account has subdomain admin rights.
I mean, when I install and setup other open source systems, then I want users to use LDAP authentication than to individually sign up, I usually sync it to our LDAP. I configure the system using my account and password for LDAP authentication.

Uhmmm ok, from rockstor shell try net ads testjoin

what you get?? reading over net found that sometimes on centos you can get that error, but joined domain.

Try a reboot too and check for users / groups , if you joined you should see your AD groups and users

Hello Mirko,

Here is the result:

I already rebooted the server.
But still I cant see my AD users /groups.

Ok, let’s start with some cat from shell:

here is a part of my smb.con file (samba after join on AD), showing winbind and idmap to enumerate domain users and groups

[root@rockstone /]# cat /etc/samba/smb.conf
    workgroup = SIVAG
    log file = /var/log/samba/log.%m
    security = ads
    realm = sivag.local
    template shell = /bin/sh
    kerberos method = secrets and keytab
    winbind use default domain = false
    winbind offline logon = true
    winbind enum users = yes
    winbind enum groups = yes
    idmap config * : backend = tdb
    idmap config * : range = 1000000 - 1999999
    idmap config SIVAG : backend = rid
    idmap config SIVAG : range = 10000 - 999999
    log level = 3
    load printers = no
    cups options = raw
    printcap name = /dev/null

####BEGIN: Rockstor SAMBA CONFIG####
    comment =
    path = /mnt2/Data
    browseable = yes
    read only = no
    guest ok = yes
####END: Rockstor SAMBA CONFIG####

here getent group | grep domain just to list at least some domain groups and not to show local groups
[root@rockstone /]# getent group | grep domain SIVAG\enterprise read-only domain controllers:x:10498: <-- SIVAG\read-only domain controllers:x:10521: <-- SIVAG\domain controllers:x:10516: <-- SIVAG\domain computers:x:10515: <-- SIVAG\domain admins:x:10512: <-- SIVAG\domain guests:x:10514: <-- SIVAG\domain users:x:10513: <–

Same as group, but now with users from AD
[root@rockstone /]# getent passwd [OMISSIS - system users] SIVAG\marena:*:11143:10513:Mirko Arena:/home/SIVAG/marena:/bin/sh SIVAG\guest:*:10501:10514:Guest:/home/SIVAG/guest:/bin/sh

etc etc with other users from AD

Kerberos test
[root@rockstone /]# net ads user -U Administrator Enter Administrator's password: <- here i enter my password for Administrator (Domain Admin)

and get a list of all domain users (like getent but without DOMAIN\ shell info etc etc, just account names)

1 Like

Hi, excellent!!! i edit file /etc/samba/smb.conf
changed line idmap config SIVAG : backend = ad to idmap config SIVAG : backend = rid
after reboot i see users and group AD
Thank you!

1 Like