Active Directory integration #1 - Configuration


Recommended Posts

A bit of background: upcoming unRaid version 6, besides 64-bit support, includes Samba 4 which has the ability to be an Active Directory domain controller.  As a result I have been diving into AD/Samba integration, trying to understand what's going on "under the hood" so-to-speak.  The unRaid AD integration has been neglected and I apologize for that.  I first want to get any issues with unRaid 5 simply being a member in an AD domain before considering adding DC feature in unRaid 6.

 

Turns out, AD in unRaid 5.0 does work, but there is a quirk in getting it to join the first time (this along with any other issues we might discover in this thread will be fixed in unRaid 5).

 

My test environment:

 

"lt2k3" - "lime tech win2003 server" This is my AD domain controller machine.  The name of my domain is "ad.lime-technology.com".  The IP address of this server is 192.168.1.5.  This machine also syncs time with pool.ntp.org.

 

"test1" - the name of a test server running unRaid 5.0, configured as follows:

 

- Under 'Date & Time', I set up to use ntp syncing with pool.ntp.org.

 

- Under Network Settings, I have DNS Server 1 set to "192.168.1.5" in order to point to lt2k3.

 

- Under SMB settings, I followed this sequence:

1. Change "Enable SMB" to "Yes (Active Directory)".  Click Apply.  AD join status shows "Not joined".

2. Filled in

AD domain: ad.lime-technology.com

AD account login: Administrator  [which is the admin user on lt2k3]

AD account password: Password1 [password of Administrator user for test purposes]

Click Join

 

At this point "AD join status" shows "Joining" - This is the BUG.  "test1" shows up under Computers on the lt2k3 but you can't access any shares.  To fix this, in the section where it says "Enable SMB" where "Yes (Active Directory)" is shown, click that Apply button again (or Stop/Start array or reboot server - either of these actions will get it to join correctly).  After doing so, now "AD join status" should show "Joined" and you should be able to navigate a share via Network Places on the windows side.

 

If you have problems getting your server to join an AD domain, post in this thread.

 

For discussion of Permissions, see this thread.

Link to comment
  • 2 weeks later...

Hi,

 

Just installed unRAID yesterday in order to test it with XBMC. it works like a charm !

 

I found this website by searching to AD Intergration for unRAID, so as you can see, I am VERY excited about this (yes, does'nt take me much)  LOL.

 

Anyway, here is my setup:

 

unraid (only in testing mode for now)

1 disk sharing folders in SMB and AFP

 

Windows 2008R2 Storage Server Essentials

Has 2 1.5Tb disk in a software  mirroring

AD integrated

 

AD server:

Windows 2008R2 standard.

 

All PC's are AD so I would like to setup unRAID in this AD integration also but when trying to setup SMB, the enable share only has "yes (workgroup)" option, as the "yes(Active Directory)" is greyed out.

 

Thanks and let me know when version 6 is out. Any idea when?

Link to comment

Hi,

 

Just installed unRAID yesterday in order to test it with XBMC. it works like a charm !

 

I found this website by searching to AD Intergration for unRAID, so as you can see, I am VERY excited about this (yes, does'nt take me much)  LOL.

 

Anyway, here is my setup:

 

unraid (only in testing mode for now)

1 disk sharing folders in SMB and AFP

 

Windows 2008R2 Storage Server Essentials

Has 2 1.5Tb disk in a software  mirroring

AD integrated

 

AD server:

Windows 2008R2 standard.

 

All PC's are AD so I would like to setup unRAID in this AD integration also but when trying to setup SMB, the enable share only has "yes (workgroup)" option, as the "yes(Active Directory)" is greyed out.

 

Thanks and let me know when version 6 is out. Any idea when?

At present AD integration feature is Pro only, though I could be talked into including in Plus  ;)

Note that turning on AD changes a few things:

- defined 'Users' are not relevant, at least for AD

- the SMB security modes (Public/Secure/Private) are not relevant

My recommendation, when using AD, don't use other protocols, such as AFP or NFS in the same server.

Link to comment
  • 5 weeks later...

I am willing to give it a try, I am still looking for a NAS solution for my business. I would just hate to buy a licence and realize that Unraid doesn't comply 100% with AD.

 

Anyway to test that AD is fully functional with my servers (Windows 2003 and 2008) before buying licence keys? I need a NAS solution before year end.

 

Thanks.

Link to comment

My recommendation, when using AD, don't use other protocols, such as AFP or NFS in the same server.

 

So no Time Machine backups on an unRAID box with AD enabled?

When AD is enabled file and folder ownership, group ownership, permissions, and extended attributes are all under control of the Domain Controller (this is what AD is all about).  If you have a share exported via both SMB/AD and AFP, the Public/Secure/Private security modes for AFP will not work well with SMB/AD.  Supposedly it's possible to integrate OSX via AFP into an AD domain, but I have not looked into this (or OSX via SMB/AD).

 

If you want to use AFP in same server as SMB/AD, I would suggest partitioning the disks or at least the shares.  That is, have some shares that are SMB/AD, others that are AFP.  Probably should be doing this for Time Machine anyway.  If you follow this recommendation then there should be no problems.

Link to comment
  • 2 months later...

Hi Tom,

 

I could not connect using your guide.

 

I did manage to connect after configuring some kerberos info.

 

I added krb5.conf to /etc/ and usied kinit to create a token and then it worked.

Ofcourse, krb5.conf did not stay after restart but it still connects...

 

I have also added some custom info to smb-extra.conf...

 

In all of my other linux systems (turnkey lamp, bitnami lamp) I was able to connect using special configuration to [global] and also to the share themselves.

 

TURNKEY info:

    Linux 3.2.0-4-amd64 x86_64

    Debian GNU/Linux 7.3 (wheezy)     

    SAMBA Version 3.6.6

 

BITNAMI info:

    Linux 3.2.0-58-virtual x86_64

    Ubuntu 12.04.4 LTS

    SAMBA Version 3.6.3

 

I usually define a winbind seperator (+) in [global] and then set the group in each share, e.g:

[sampleShare]

    path = /mnt/Movies

    valid users = @"MYDOMAIN+Domain Users"

    read only = no

    force group = "Domain Users"

    directory mode = 0770

    force directory mode = 0770

    create mode = 0660

    force create mode = 0660

    access based share enum = yes

    hide unreadable = yes

 

This works for me all the time.

 

However, this cant be done in unRaid since smb-shares.conf is built at runtime.

 

Can you please advise where is it built and how can I change the schema to see if this works well, if it does I will repost a guide.

 

Thanks.

 

 

Link to comment
  • 1 month later...

After buying 2 PRO licences (even though I will never run more than 4 HD), I am able to remote desktop to the server from my PC.

Server software running: WINDOWS SERVER 2012

Unraid can ping the server through the console.

The time matches on both server within seconds.

 

AD join status: Not joined

AD domain name (FQDN): proper server domain name .ca entered

AD short domain name: short name entered

AD account login: administrator

AD account password: Correct password entered

 

I spent 3 hours trying many different permutations, I am still not able to connect to the active directory.

I did follow the 1st post to the letter but I don't seem to be able to connect.

What am I missing????

 

Another bug is that you need to deselect AD then Select it again before you do any changes or the change don't seem to be stored.

Log:

Mar 20 13:29:08 Tower avahi-daemon[12571]: Server startup complete. Host name is tower.local. Local service cookie is 302958446.
Mar 20 13:29:09 Tower avahi-daemon[12571]: Service "ATEQNAS" (/services/smb.service) successfully established.
Mar 20 13:29:13 Tower emhttp: shcmd (2525): /usr/bin/net ads join -U "administrator"%"*****" |& logger
Mar 20 13:29:14 Tower logger: Failed to join domain: failed to find DC for domain MyDomainName

Link to comment

I did follow the 1st post to the letter but I don't seem to be able to connect.

What am I missing????

Under Network Settings, "DNS Server 1" should be set to the IP address of your AD DNS server (usually same as the AD DC).  Do you have it set up like this?

 

Another bug is that you need to deselect AD then Select it again before you do any changes or the change don't seem to be stored.

Sorry this is a known issued fixed in 5.0.6

 

Link to comment
  • 4 years later...
  • 1 year later...

Samba has had this functionality for over 10 years.  I've joined it to domains and also some time back it added capability to become a primary domain controller.  There doesn't seem to be any directory integration related functionality within unraid other than being a domain member. This is one of a small number of features I think is sorely lacking within unraid and shouldn't be too hard to add.  Think I'll go request it now on the feature request section.

Link to comment
  • 4 months later...

Hi, I am new to UNRAID and have been testing it out on a test machine. I have run into some challenges with share permissions. I noticed that AD integration was mentioned as a PRO feature, does that mean it should function on a trial licence too?


(I have been able to join the UNRAID server to the AD Domain so have assumed that it should work on a trial licence so far)

 

Thanks,

Link to comment
  • 1 year later...

Hi All,

 

my 1st post !  😁

 

I'm new to UNRAID and have been using it for a couple days now.  I'm running UNRAID Server as a VM on my windows 10 pro desktop VMWare Workstation PRO desktop server.  This is purely test and not sure if I will take the full plunge to dedicated Hardware for UNRAID Server.

 

I am a Sys Admin and a member of a team which supports approximately 700+ VMWARE ESXi hosts and  the 7000+ VMs that run on them and have been  doing so since 2001.  I am looking into UNRAID for personal use, not for work.

 

My question is when my trial is up I'm definitely interested in purchasing UNRAID ... I just want to know which version supports Windows AD integration ... I have read this thread but no one seems sure.  From reading the UNRAID registration page it infer that the only differences in the 3 options is number of connected devices.

 

I was thinking the Plus option would be more than enough for my home lab domain and setup but need to know if AD integration is supported by this version.

 

 

thanks ,

 

E

 

BTW you all are amazing .. from reading thru posts on this forum I was able to get my UNRAID server up and running and integrated in AD in just 2 days.  Had a few quirks with Time not syncing in domain and NTP server not syncing with my window AD 1st DC with PDC EM role, but those have been resolved thanks to UNRAID forum members posts.

Link to comment

MY UNRAID server is part of a windows AD ...

 

does anyone know if moving the UNRAID computer account from "Computers" OU  to another AD OU will affect the UNRAID server.

 

Also, will group policies affect the UNRAID server ... I doubt it as it is not windows.  I just want to make sure.

Link to comment
  • 1 year later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.