Rockstor Active Directory(AD) integration implementation

This is a wikified post documenting the implementation of Active Directory integration in Rockstor. It was done differently before version 3.8-9 using winbind as described here. This new approach uses sssd and is a much simpler and recommended one as per RHEL/CentOS documentation.

##User story and implementation summary
User should be able to add their Rockstor system to their Active Directory domain controller. We use realmd, which provides and simple way to discover and join Active Directory. Internally, realmd configures the System Security Services Daemon or SSSD to achieve this. Let’s dive into the UI and implementation details.

##Implementation detail
In the Web-UI, AD integration feature is available as one of the services under System → Services screen.

AD_service_table.png896×521 47.3 KB

User clicks on the Wrench icon next to Active Directory and submit a simple form.

ad_config_form.png748×360 28 KB

Following are the input fields with descriptions

1. Domain/Realm Name -- A resolvable AD realm. It's essential to have correct DNS configuration for the resolution to work. If the AD server is the sole DNS server and is configured automatically(via DHCP) or manually during network interface configuration, it should work fine. If needed, DNS servers for a network connection can be set from System -> Network Interfaces screen.
2. Administrator Username -- Administrator username to be used for authentication while joining AD.
3. Password -- Password for the above user.

That’s it. SSSD simplifies many other parameters required by previous method. Going forward, we may have to include some advanced input depending on AD infrastructure of a given scenario. I look forward to community members that are experienced with AD to chip in.

##Configuration save

Upon submitting the form in the UI, the following happens.

1. If NTP service is not running, the config is rejected as it’s essential for AD integration to work properly.
2. config is also rejected If the provided Domain/Realm cannot be resolved. In this case the user is advised to verify DNS configuration and input before trying again.
3. The domain controller is “discovered” with this command realm discover --name-only <domain>. Again, config is rejected if discovery fails.

Once the config is verified as indicated above, it’s saved. Note that username/password are not verified yet.

##Service switch on
When the service is switched on, an attempt is made to join AD using the credentials saved in the config. Just like during configuration save, NTP and domain name resolution are verified. Finally, join is attempted with this command realm join <domain>. Any low level errors are bubbled up and presented on the Web-UI after some elaboration for clarity.

Active Directory service being on means that the Rockstor system has joined Active Directory. But the domain user/group information is not listed anywhere in the Web-UI.

##Service switch off
This is a simple realm leave command.

##How is this tested by Rockstor team?
All AD related code is tested with Samba 4 Domain Controller which is compatible with Active Directory. I am hoping that AD users in the community will come forward and help us improve this feature as needed.

##Where to from here?
RHEL 7 documentation and other sources on the internet provide excellent documentation but also make it clear there is no universal AD integration for all. So instead of over engineering it, it’s best if users try to integrate their Rockstor systems with AD and point out shortcomings and nice to have extensions. For example, how should Samba service configuration be updated for AD integration? or if we should enumerate domain users/groups and show them on the Web-UI and support certain features like ACLs.

We are running Samba 4 Domain servers with a mixture of Mac’s and Linux and some windows machines.
Our fileservers are older samba 3.X and 4.X , using winbind, another system (commercial product ) uses likewise.
We manage our shares (ACL’s ) via the ‘Shared Folders’ mmc snap-in on windows. ( for now )
I had some troubles setting Rockstor up with sssd and using this method.
While the domain joining is a bit easier then winbind , I ran into kerberos issues because of a missing cifs/* spn.
For some reason I could not get samba on rockstor to play nicely with sssd and I reverted back to winbind , solely for the smb serving part.
enumeration and ACL’s are definitely needed for business users, perhaps not so much for home users, but they hardly need AD I assume.
Another issue I had is that ( although I cannot say for sure if it wasn’t caused by something else ) sssd’s users show up as Unix Users/<USERNAME> in the ‘Shared Folders’ instead of <DOMAIN>/<USERNAME>. This also leads to permission issues for me.

Also, sometimes when you restart samba via the GUI, the security setting is reverted back to user instead of ads.

I would definitely allow admins to override the default smb.conf that rockstor uses, and make sure rockstor never overwrite it if a customization has been done.

In short:

• If joining an active directory, smb.conf should contain:
• security = ads
• realm = <KERBEROS_REALM>
• keytab parameters

And:

• ACL’s - Groups and Users: YES, filter out local users by default ( perhaps with checkbox to include local users in the lists )
• VFS extensions: audit, recycle, acl_xattr
• Make sure cifs/hostname exists in keytab

This is my default smb.conf I usually start off with.

[global]
	workgroup = MYDOMAIN
	realm = MYDOMAIN.COM
	server string = My Domain Fileserver 05
	security = ads
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	map untrusted to domain = Yes
	log file = /var/log/samba/log.%m
	max log size = 50
	client signing = if_required
	max open files = 65535
        ; Experiment with settings SO_SND and RCV Buffer size for performance
        max xmit = 65535
	socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=65535 SO_RCVBUF=65535
	load printers = No
	domain master = No
	wins support = Yes
        # Script to add/delete or modify shares
	add share command = /usr/local/bin/modify_samba_config.pl
	change share command = /usr/local/bin/modify_samba_config.pl
	delete share command = /usr/local/bin/modify_samba_config.pl
	template homedir = /shares/homedirs/%U
	template shell = /bin/bash
	;winbind enum users = Yes
	;winbind enum groups = Yes
	winbind use default domain = Yes
	winbind nss info = rfc2307
	winbind refresh tickets = Yes
	full_audit:failure = none
	full_audit:success = mkdir rename unlink rmdir pwrite
	full_audit:facility = local5
	full_audit:prefix = %u|%I|%m|%S
	full_audit:priority = NOTICE
	idmap config MYDOMAIN:range = 10000-99999
	idmap config MYDOMAIN:schema_mode = rfc2307
	idmap config MYDOMAIN:backend = ad
	idmap config *:range = 2000-9999
	idmap config * : backend = tdb
	map acl inherit = Yes
	max connections = 65535
	cups options = raw
	delete veto files = Yes
	store dos attributes = Yes
	vfs objects = acl_xattr, full_audit

I’d very much like to get the UIDs from the Active Directory - I was in the process of manually setting-up a CentOS7 Samba server when I found RockStor, and would definitely like to switch before going live.
Here is a part of my smb.conf:

# use AD provided UNIX properties
idmap config AD : backend = ad
idmap config AD : schema_mode = rfc2307
idmap config AD : range = 500-199999
# use AD provided UNIX properties
winbind nss info = rfc2307
winbind trusted domains only = no
winbind enum users  = yes
winbind enum groups = yes

Hey @ScarabMonkey, welcome to Rockstor community!

This wiki post is outdated as we moved to winbind approach after running into various troubles with sssd. Do you mind giving it a try using the latest testing update? The AD config UI should be pretty self explanatory. It’s under System -> Services on the UI.

Ahh, fair enough - well I am using the latest ‘Testing’ RockStor for now - and the AD binding is working just fine.
But, I’d prefer the UIDs were taken from AD rather than made-up by samba - hence the request for the rfc2307 mapping

So I guess this is a feature request

“Enable rfc2307 for idmap”

I have looked at the code and considered whether rfc2307 could just be inserted in the ‘idmap range’ field but that would require some assumptions about idmap range - thus a radio-button would be better (with an info icon reminding the user that they must populate the ‘uidnumber’ field in their AD) - then the idmap-range field can still be honoured.

I’ve fiddled with the python, but no idea how to get the variable into/from the gui:

This is me reading this post (@ScarabMonkey I’m not putting you down, just wondering about a possible 4 hands commits/pull requests!)

Why to implement this, but why not ?!? Following this way, why not adding this too (always as optional, false on default)

winbind nss info = rfc2307 ← collect from AD homes and shells setting

Flyer

I agree - just forgot about that line - now added to my git edit

My main reasoning for this is so that machines are using the same UIDs across the organisation… could especially be useful for anyone using nfsv3 - we use a similar thing on our Macs to ensure the same UIDs.

Already merged your fork into a new one refering the issue + winbind nss info

he!

just for the record.
is

“Service switch off
This is a simple realm leave command.”

still true?
then the ad connection gets disabled and the AD should be removed form the local stores?
then its not working as intended. when i disable the ADS service the users are still locally in PAM and WINBIND/NSS as of 3.8-14-22

someone can confirm?

That’s right, switch off -> leave domain, but users still in PAM etc
M.