Connecting nethserver to a NS AD provider & Nextcloud authentication

pagaille · May 31, 2017, 6:47am

NethServer Version: NethServer release 7.3.1611 (Final)

Hi there,

I’m struggling to get a second NS server to join our first NS server configured as “Active Directory local accounts provider”. In my view the documentation is not really clear : should I use the “Join remote AD” method or the “remote LDAP” method ?

After failing to get the first method to work I tried to connect using remote LDAP and it worked, at least it looks so : no error messages with that configuration :

AD provider side :

“Client” side :

Now I want my user to be able to log onto the Nextcloud instance hosted on that NS, but it doesn’t work. Basically it can’t connect to the LDAP server ("“app”:“user_ldap”,“message”:“No LDAP Connection to server”)

Could someone help me with this ?

Thanks

Matthieu

giacomo · May 31, 2017, 7:12am

Take a look at this:

http://docs.nethserver.org/en/v7/accounts.html#join-an-existing-active-directory-domain

Basically you need 2 steps:

Join the NS to the remote AD
Create a user on the remote AD and add it the field below “Authenticated bind”

pagaille · May 31, 2017, 7:38pm

Thanks Giacomo. This is indeed what I tried first.

however I get “Failed to join Active Directory (Can’t contact LDAP server)”

I’m wondering wether this could be the problem :

#  host -t srv _ldap._tcp.lebrass.be
Host _ldap._tcp.lebrass.be not found: 3(NXDOMAIN)

BTW : I successfully joined the AD domain with a Windows 7 client.

davidep · May 31, 2017, 7:52pm

Your AD domain is

ad.lebrass.be

The administrator account is disabled by default in NethServer.

pagaille · May 31, 2017, 8:22pm

Gosh…

Still no luck :

Failed to join Active Directory (Joining the domain ad.lebrass.be failed)

As far as I know administrator@lebrass.be is enabled, furthermore I used it to join the domain on the W7 machine.

May 31 22:18:54 cloud realmd: * Resolving: _ldap._tcp.ad.lebrass.be
May 31 22:18:54 cloud realmd: * Performing LDAP DSE lookup on: 10.10.1.2
May 31 22:18:54 cloud realmd: * Successfully discovered: ad.lebrass.be
May 31 22:18:54 cloud realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
May 31 22:18:54 cloud realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.WLVL0Y -U administrator@lebrass.be ads join ad.lebrass.be
May 31 22:18:55 cloud realmd: Enter administrator@lebrass.be's password:kerberos_kinit_password administrator@LEBRASS.BE failed: Cannot find KDC for requested realm
May 31 22:18:55 cloud realmd: 
May 31 22:18:55 cloud realmd: Failed to join domain: failed to connect to AD: Cannot find KDC for requested realm
May 31 22:18:55 cloud realmd: ! Joining the domain ad.lebrass.be failed

davidep · May 31, 2017, 8:40pm

Use one of the following user names:

 administrator@ad.lebrass.be
 administrator
 LEBRASS\administrator

If you enabled admin also:

 admin
 LEBRASS\admin
 admin@ad.lebrass.be

pagaille · May 31, 2017, 9:20pm

SUCCESS using the first proposition.

Still have issues for Nextcloud, event after a reinstall. The LDAP config page looks like this :

I also tried with administrator@lebrass.be and administrator@ad.lebrass.be

To be continued… THANKS for helping

davidep · May 31, 2017, 9:24pm

Create a “nextcloud” account in AD, set a non-expiring password for it.

Then in the joined nethserver go to Accounts provider page and select “authenticated bind”.

Type nextcloud credentials like

  LEBRASS\nextcloud

Then save…

pagaille · May 31, 2017, 9:41pm

I should probably sleep on it : it’s not working.

Problem is that all this AD stuff looks horribly MS like… Intentionally opaque.

davidep · June 1, 2017, 4:03pm

I’d rather say Active Directory is complex! It “requires advanced configuration options”…

Do you need authenticated access to shared folders? If you like simplicity, why not to choose LDAP?

pagaille · June 3, 2017, 8:44am

Ehi Davide,

Indeed, I need shared folders authentication (SMB with > 15 employees). In my view AD is kind of an LDAP on steroids. That’s the authenticate scheme that annoyed me. I hate those strange login ids with backslashes, domain names and terminating with a $ sign, it makes me nervous, I never really understood that thing coming right from the nineties

I must admit that I was a bit exhausted last night. After some experimentation with an Ldap browser, I was able to understand how this thing was working and to get the right parameters for nextcloud authentication. I was expecting nethserver to automagically configure itself after having joined the AD? I guess that the situation where nextcloud is not installed on the same machine is not supported ? Also the documentation should emphasis on the fact that the main nethserver instance is NOT the AD server (it is the virtual instance created at setup), it wasn’t so clear at that time, even if it sounds so obvious now.

It also turned out that the autocomplete feature of OSX Safari interferes with nextcloud’s authentication fields ! The fields are randomly and silently autocompleted even when they are hidden behind the various steps of the ldap configuration wizard. This added some confusion when debugging this issue. I’ll get in touch with the nextcloud team to make them aware of this.

Thanks for helping !

Matthieu

EDIT : Nextcloud issue is known and handled : https://github.com/nextcloud/server/issues/4476