Sonntag, 18. Mai 2014

Add ownCloud 6.0 to Active Directory 2012 R2



OwnCloud is cool but configuring it can be a pain in the backoffice. The administrative webinterface is scantily documented and its functionality is funky, rendering the documentation even more worthless.

I’m sure the good folks at ownCloud will fix this eventually but in meanwhile if you want to add an ownCloud server to your Active Directory 2012 R2 network here is how I got it to work.

If you found this article you probably know what ownCloud is. If not:

OwnCloud is privately hosted cloud storage. Dropbox on your own server.

What you will get:
– instantly available cloud storage for selected or all users in your domain
– as secure and private as you want it because you are hosting it on your own servers
– free clients for mobile, desktop and web users

This solution is free, easy to back up and does not require extra hardware.

I divided this article into nine parts:

0. Intended audience and versions used
1. Installing and configuring Oracle VirtualBox
2. Installing and configuring Debian on a virtual machine
3. Preparing the vm for ownCloud
4. Installing ownCloud
5. Connecting ownCloud to Active Directory
6. Troubleshooting
7. What’s next?
8. Further reading and useful resources
0. Intended audience and versions used

This article is intended for administrators of relatively small Windows networks who want to deploy a cloud storage solution for users that’s low-cost, low-maintenance and safe.

There are a couple of good reasons to run your own cloud storage:
1. You are not subject to US inspection.
2. There’s no licensing hassle.
3. Single sign-on because it can use Active Directory for authentication.
4. Many businesses block access to cloud storage services such as Dropbox for security reasons. That’s all good and well but users will find a way around it or an alternative so it’s better to offer them something decent.
5. Extra geek credit \o/

For this article I’ve used Window Server 2012 R2 Standard with Active Directory 2012 R2 functional level. Any other AD version will probably also work but that’s what I tested it on.

For the ownCloud OS I used Debian 7.3.0 i386. Don’t worry if you’re not a Linux guru. First of all none of us was born a Linux guru and second the main interface is ownCloud’s web interface, not the Linux command line. While it is possible to install ownCloud on a Windows server with IIS I recommend you use Linux. This way you’ll keep things isolated, it won’t cost you a Windows license and configuring PHP and MySql projects on Windows is possible but a rather esotheric thing to do.

The OwnCloud version I used is 6.0.0a. I recommend to always check out the changelog because ownCloud is under very active development.

I’ve used two virtual machines:

VM 1
name: W2012R2ADDC.TESTNET.NETWERK
os: Windows Server 2012 R2 Standard
ip address: 192.168.77.136
netmask: 255.255.255.0
dns: 192.168.77.136
default gw: 192.168.77.1

VM 2
name: OWNCLOUD.TESTNET.NETWERK
os: Debian 7.3.0 i386
ip address: 192.168.77.130
netmask: 255.255.255.0
dns: 192.168.77.136
default gw: 192.168.77.1

I’m assuming since you’re reading this that you know how to set up Active Directory so I haven’t described that. If you aren’t interested in working with Active Directory there’s no point in continuing reading this article…

As for the Linux knowledgability level I assume you have heard of Debian, ran Ubuntu at least once and know where to find Google. I will describe in detail how to execute the proper commands but explaining them all would take too much time. If you’re interested in that, type man command on the command line, where command is the command you want information on. Then read it.

In Active Directory I created two groups: ocusers and Testgroup. I also created four users: User1, User2, User3 and User4.
ocusers group members: User2, User3, Testgroup
Testgroup group members: User4

As you can see users 2 and 3 are direct ocusers group members and User4 is a an indirect or group member, or a member due to group nesting. Remember this term as we’ll be using it later.
1. Installing and configuring Oracle VirtualBox

VirtualBox is a so-called level 2 hypervisor. What this means is that it is a virtual machine running program installed, just like any other software, on an operating system. It is very OS agnostic: it can be installed on Windows, Linux, Solaris and OS X. This can come in handy when you migrate to a different platform or need to replace hardware: just pick up your vm’s, install VirtualBox on a new machine and you’re done. It is also compatible with VMware and Hyper-V formats and you can import and export standard appliances.

VirtualBox is stable, well documented and very feature rich for a level 2 hypervisor. While I haven’t documented it here it is possible (and not very difficult) to run a vm in headless mode: without a user interface. You can then connect to it remotely via either RDP (you connect to the vm but not to the guest OS so you can connect to a non-graphical UNIX server just as easily as you could connect to a Windows guest), a remote VirtualBox installation or through conventional means such as an MMC or SSH.

The idea is you install VirtualBox on an existing server. Since we’ll be using Debian Linux to install ownCloud on the installation won’t be very demanding.

Download the latest version of Oracle VirtualBox fromhttps://www.virtualbox.org/wiki/Downloads. Install it and stick to the default settings. When you’re done, run it as administrator. Download the latest VirtualBox Extension Pack from the same site. Start VirtualBox and from the File menu, choose Settings. Click on Extensions. On the right side of the Extension Packages list click the upper button (Add Package). Select the downloaded package and click Open.



Close VirtualBox and run it again as a regular user. Sometimes VirtualBox doesn’t quite get this and you need to end the process and try again. This is a bug in VirtualBox or in Windows and it’s only after the above procedure of running as administrator and installing the Extension Pack. It is not representative for VirtualBox’s stability.

In VirtualBox, click New. For the machine name I recommend ownCloud but that’s your call. Type: Linux. Version: Debian. Click Next.



The amount of memory necessary depends on your number of users and how often they’ll use ownCloud. Let’s try 1024MB.



Click ‘Create a virtual hard drive now’ and click Create. Now. If you’re unsure of what to choose here, stick to VDI (VirtualBox Disk Image). VMDK disks are compatible with VMware and VHD disks can be used on Windows with or without Hyper-V. Take your pick and click Next.

In the next step you need to choose between a dynamically allocated and a fixed size drive. If unsure choose ‘Dynamically allocated’. If you have 5,000 users you may need the extra speed. If you don’t have a 1Gb upload speed the disk speed is probably not your speed bottleneck.

Next choose how big the drive should be. If you are creating a dynamically allocated disk the size doesn’t really matter. Choose an appropriate size. The OS and software take up around 2.5GB.

Download the Debian network installation CD iso. I recommend the i386 version.

You have now created a virtual machine in VirtualBox. Select the VM and click Settings. From the list on the left side choose Network.

For an exhaustive discussion on virtual networking, read chapter 6 of the manual. Or skip it and only read it if you can’t get it to work.

Set the adapter to Bridged Adapter and choose the network interface that connects your server to the rest of your network. My screenshot shows an Intel Centrino adapter, which is a wireless card, because I’m writing this on a laptop. In the event you’re using a wireless card you may need to click Advanced and play around with the Promiscuous Mode setting. This is not necessary for wired connections.



Next go to Storage and click the ‘Empty’ CD in the Storage Tree. Click on the CD icon to the right of ‘CD/DVD Drive: IDE Secondary Master’.



Click ‘Choose a virtual CD/DVD disk file…’ and select the debian-n.n.n-xxxx-netinst.iso file you downloaded earlier.



Click Ok to save and return to the main Oracle VM VirtualBox Manager window. (My screenshot shows a couple more VMs.)


2. Installing and configuring Debian

To start installing Debian, fire up the virtual machine! Select it and click Start.

After a briefly shown boot logo you’ll be presented with an installer boot menu. Choose Install.



Select English as the language.



Select your country.



Select the country to base the default locale settings on. Since this isn’t a desktop don’t be too concerned about this. Choose United States if you are unsure.



Choose your keymap. For Dutch keyboards choose American English. If you choose Dutch your @ will not be on the same key as number 2.



As the hostname I suggest OWNCLOUD.



As the domain name enter your Active Directory domain. My lab setup is a one-tree, one-domain forest. My server is called W2012R2ADDC.TESTNET.NETWERK so I’m entering TESTNET.NETWERK here.



Enter a root password and enter is again. Remember it.

Then create a new user. I suggest choosing a functional username like ‘owncloudlocaluser’ because you don’t want ambiguity in the ownCloud-Active Directory naming scheme. You won’t be using this account very much.



Just keep the same name for the username and remember the password.

It is a good idea to choose safe passwords for both the root and normal user account.

Now the installer will do some network stuff, like checking the time. The next interactive step is the partitioning. Just stick with the defaults unless you need encryption if you’re not sure what to do.

Partitioning method: Guided – use entire disk.



Disk to partition: select the only available disk if you have followed this article step by step.



Partitioning scheme: All files in one partition. This doesn’t really matter as we’re working in a virtual environment.



Select ‘Finish partitioning and write changes to disk’.



Yes, we’re sure.



The installer will now install Debian on your virtual machine.



Since this is the netinstall CD some parts need to be downloaded. Select a source that you think is fast and up-to-date. I chose Netherlands > ftp.tiscali.nl.

Enter proxy information if you need to. Then wait for the installer to continue.



The installer asks if you want to participate in a package usage survey. I tend to agree but it’s up to you.



At the software selection screen, select:
– Web server
– SQL database
– SSH server
– Standard system utilities



Wait for the software to be installed, then let the installer install GRUB to the master boot record.



All done!



Wait for the system to reboot and when the login screen appears log in with the root user.



You won’t see any asterisks or other characters appear after the Password prompt.
Configuring networking in Debian

I didn’t provide my Debian vm with a static dhcp address but I suppose you would, being the administrator of an Active Directory.

By convention *nix commands entered under a root account are preceded by a #. Commands entered as a regular user are preceded by a $.

Edit the file /etc/network/interfaces by typing
# nano /etc/network/interfaces

After “# The primary network interface” have it look like this:
allow-hotplug eth0
auto eth0
iface eth0 inet static
address 192.168.77.130
netmask 255.255.255.0
gateway 192.168.77.1


Of course enter your own network addressing here.

Save the file (^ means the control button but use the left one on your keyboard because the right one is VirtualBox's host key!) and reset the networking service:

# service networking restart

Now minimize – don’t close – the VirtualBox window and fire up PuTTY from your desktop or laptop. If you don’t have PuTTY installed now would be a good time to download it.

At the ‘Host Name (or IP address) type the IP address of your ownCloud VM, sit down and press Open.



You were sitting down weren’t you? The security warning means you haven’t connected to this machine before. Read the message and click Yes.



The way this works is you log into the virtual machine via SSH with a regular user account, then as that user switch to the root account. This way the root password isn’t transferred insecurely over the network. There are better ways to do this and you should read up on them after you’re done with ownCloud.

The reason we use PuTTY is that it allows us to scroll up, copy from and paste to the command line and it’s just a lot more versatile than a VirtualBox pseusolocal interface.

At the SSH command prompt log in as owncloudlocaluser (the one we’ve created earlier) and its password. Then do:
$ su root
and type the root password.

Now we’ll set up dns. Edit the file /etc/resolv.conf and make it look like this:

domain testnet.netwerk
search testnet.netwerk
nameserver 192.168.77.136

Remember testnet.netwerk is my lab AD name and 192.168.77.136 is my Active Directory DNS server.

You can edit the file by typing
# nano /etc/resolv.conf

If you do this a lot try and learn Vi as it’s easier to use (but not to learn) than Nano. Nano works fine however.

Since we’re on a virtual machine that may be suspended and LDAP relies on the time being correct let’s set up NTP.

# apt-get install ntp


Update the system although there’s probably not a lot to update.

# apt-get update
# apt-get upgrade

Install all suggested updates and upgrades.
Create a vm snapshot

Now would be a good time to create a snapshot of your virtual machine. If you screw up the rest you can return the vm to this point in time. When you’re done, delete the snapshot or export them and then delete them because they take up resources.

Open the VirtualBox Manager window, select your ownCloud vm and click the Snapshot button top right.



Click on the Take Snapshot button above ‘Current State’.



Enter a snapshot name and a description.



Read chapter one of the VirtualBox manual to learn about snapshots. It’s not difficult but a bit outside of the scope of this article.
3. Preparing the vm for ownCloud

Since we selected ‘Web server’ as one of the functions of the machine Apache2 is installed and running on the vm. You can test it by entering the vm’s ip address or hostname in your browser. It should look like this:



If it doesn’t, troubleshoot it until it works. Troubleshooting Linux systems is a very good way to learn about them. A good place to start is the error log at /var/log/apache2/error.log:
# tail /var/log/apache2/error.log

/var/www is the default place to store your websites in. By convention /var is the place data with avariable size is stored.

Create a file /var/www/test.php and write this in it:

<?
phpinfo();
?>


Open your browser and navigate to http://192.168.77.130/test.php. Depending on your browser you will either get a blank page or a page showing the contents of the file you just created. We need to tell Apache to parse php files:
# apt-get install libapache2-mod-php5

Now try again.



Delete this file after you’re done installing and configuring; it’s noone’s business but your own what you have installed on your server.

We’ll be installing ownCloud manually. I prefer this method to the packaged version because it takes out the dependence on the package manager (the person managing the packages, not the package manager on your system) and you know exactly what you are doing.

Here is a list of packages that need to be installed for ownCloud to work. Some of them were preinstalled on my fresh Debian 7.3.0 install so I’m not covering them here. If you’re installing on an other version or distro the complete list might come in handy.

Database:
# apt-get install mysql-server mysql-client php5-mysql
Remember the MySql root password! You won’t need it a lot but if you do it’s probably for troubleshooting.

Film and pictures preview:
# apt-get install php5-ffmpeg php5-imagick

Optional (but recommended):
# apt-get install libcurl3 curl php5-curl php5-mcrypt php5-intl

Communication with Active Directory:
# apt-get install php5-ldap

Editing documents:
# apt-get install libreoffice

Restart Apache for good measure.
# service apache2 restart
4. Installing ownCloud

After installing ownCloud you will probably want to edit php.ini a bit. By default you can only upload files of up to 2MB in size. The number of files you can upload in one go is limited and there are a couple more limits you may want to tweak.

You will need to edit php.ini for that, which you will find in the /etc/php5/apache2/ directory. After you have edited that file restart Apache.

The download url I mention here is current at the time of writing however ownCloud is under active development and the link will probably have changed so go over tohttp://owncloud.org/install/, click ‘Tar or Zip File’ and copy the tarball’s exact url.

Via PuTTY do:

# cd /var/www
# wget http://download.owncloud.org/community/owncloud-6.0.0a.tar.bz2


Extract the tarball:

tar -xjf owncloud-6.0.0a.tar.bz2


Fix the rights on the ownCloud folder:

# chown -R www-data:www-data /var/www/owncloud


Create a data folder – don’t do it under the ownCloud or www folder in /var because it would be open for anyone to explore. Create it outside of the /var/www folder, for example in /var/.

# mkdir /var/ownclouddata

Keep a note of where you put this folder.

Fix the rights on the data folder:

# chown -R www-data:www-data /var/ownclouddata


Tell Apache about the site by editing or creating /etc/apache2/httpd.conf:

<Directory /var/www/owncloud>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>


Activate Apache’s rewrite module:

# a2enmod rewrite


Finally restart Apache:

# service apache2 restart


Usually we’d create a dedicated MySql user for ownCloud but at the moment that’s now working very well in the ownCloud administration web interface and besides this is a dedicated machine so we’ll just use the MySql root user. For servers hosting more sites that would be a safety issue.

Browse to http://192.168.77.130/owncloud. You can safely ignore the security warning about your data directory location. OwnCloud doesn’t yet know where it is.

At the ‘Create an admin account’ section we create your ownClouds administrator account. Let’s call it ocadmin.

Enter the location of the data directory: /var/ownclouddata

As the Database user, enter root. The password is the MySql server password you entered while installing MySql.

The root user is capable of creating a database so pick a functional name, like… owncloud.

The MySql and Apache server are on the same machine so enter 127.0.0.1 as the Database host.



If all went well you will now have a functioning ownCloud server!


5. Connecting ownCloud to Active Directory

In Active Directory Users and Computers create a new user called owncloudaduser. It doesn’t have to be a member of any special groups. Give it a hard password and set it and the account to never expire. I created this user in the Users OU. This doesn’t really matter but keep it in mind when specifying the user’s DN in ownCloud.



LDAP can be tricky. If your AD works you don’t have to deal with it but as soon as things start to disintegrate you will have to get your shovel and dig in the LDAP database. Windows Server 2012 provides a couple of tools; do some Googling.

Also it can be insightful to go into Active Directory Users and Computers, select your domain, click View and check ‘Advanced features’.



Now Active Directory Users and Computers shows you a lot more information. Doubleclick a user and check out the new tabs. Especially handy is the Attribute Editor which tells you not only which attributes there are but also their exact values which can be very helpful when troubleshooting the connection between ownCloud and Active Directory.



Right, back to ownCloud. Point your browser to http://192.168.77.130/owncloud and log in as ocadmin.

From the top right menu choose Users.



Note that there is only the one ocadmin user we created earlier. Normally this is where you would create ownCloud users.

Click on the ‘+ Apps’ icon bottom left.



In the apps list scroll down to ‘LDAP user and group backend’, click it and click Enable.



From the top right menu choose Admin.



Ignore the https security warning for now. Scroll down to the LDAP section. This is the section that has the Server, User Filter, etc. tab bar on top. Start out with the Server tab and fill out your own values. Remember you can find the DN of the client user in Active Directory Users and Computers.



The ‘Could not determine Base DN’ error is caused by a bug in ownCloud; don’t worry about it.

All values are instantly saved. Press F5 to reload the page and behold! You can now enter a Base DN.



Users.testnet.netwerk is the default (with your own AD of course) but you could just enter DC=testnet,DC=netwerk. This would give you all users in the AD, including system accounts that will never need ownCloud accounts.

Click the Expert tab and in the Internal Username Attribute field enter sAMAccountName. This way ownCloud’s internal usernames are identical to your AD usernames instead of the objectSid which is a long range of numbers.



Click the Save button on the bottom of the form after you change this.

Click the Advanced tab. Under Connection Settings check these options: Configuration Active; Case insensitive LDAP server (Windows); Turn off SSL certificate validation [for now]. Set ‘Cache Time-To-Live’ to 5 seconds for now. If you are done configuring change this back to 600 or so. You don’t want to wait ten minutes after every change to test if it is working.



Click the Save button.

Under Directory Settings enter these values:
User Display Name Field: displayName
Base User Tree: CN=Users,DC=testnet,DC=netwerk
Group Display Name Field: cn
Base Group Tree: DC=testnet,DC=netwerk (I’m not sure this makes any difference, I’ve never seen ownCloud pull non-system groups from LDAP)
Group-Member association: member (AD) (idem: this makes no difference but this is supposedly the correct setting)



Click Save, then click the Login Filter tab. You may now see a ‘Configuration incorrect’ message followed by a red square. Don’t worry about it; this is ownCloud being confused I guess.

Click the ‘Edit raw filter instead’ line and enter this text:
(&(memberOf:1.2.840.113556.1.4.1941:=cn=ocusers,dc=testnet,dc=netwerk)(sAMAccountName=%uid))
(I edited the screenshot a bit so it would show all text.)



The memberOf:1.2.840.113556.1.4.1941: key is interesting. It means “members of the following group, including indirect members due to group nesting”. This will include User4 even though User4 is not a member of the ocusers group.

sAMAccountName=%uid means “where the sAMAccountName value equals the string the user entered in the username field on the logon page.

The Login Filter tells ownCloud which users are allowed to log in and which LDAP attributes they are allowed to use for their usernames.

Clicking Continue will take you to the Group Filter tab and, if all went well, replace the error message by a happy ‘Configuration OK’ message followed by a green dot.



(Yes, I edited the screenshot so it would show all text.)

The Login Filter raw filter string you entered is very sensitive about changes in other places in the ownCloud administration web interface and even to reloads of the page itself. If you change anything check back here and fix the value if necessary. The fix may take but if you press F5 the default value is reset. I hope this will be fixed in future updates but for now it helps if you are aware of these… features.

Before continuing, check which users are listed in the User section (top right menu, Users). Note that there are too many.

Under the User Filter tab click ‘Edit raw filter instead’ and enter this text:

memberOf:1.2.840.113556.1.4.1941:=cn=ocusers,dc=testnet,dc=netwerk

Press Continue to save the value.

Check back in the top right menu under Users and verify that all intended users are present.



There’s a fair chance it won’t work the first time but it helps to know which values should work and once it works it keeps working.

Rename Onedrive Business root folder

Rename Onedrive Business root folder Here is what I remember: In the Office 365 web admin pages, change the organization name to a shorte...