Owncloud add to domain, with "non Domain Admins" user

artken · January 7, 2020, 8:37am

Hello!
I am newbee in owncloud program.
We have fresh Owncloud installation. We want to add this server to Active Directory domain.
I have account whitch is not in “Domain Admins” group, but have right to add servers and workstation to domain.
When I try to do that, I have an error “Error cannot add server to domain, because user is not in Domain Admins group”.
Adding servers with Domain Admin account is not secure, and is more risky, because domain admins have more right as need to add to domain.
Please help to resolve this problem.

eneubauer · January 7, 2020, 9:31am

Hi,
Thanks for opening a new topic in the server category. When opening a topic in this category there is a template that needs to be filled out, so the users in this forum that are trying to help you can do this effectively.

Please fill out the template.
And also explain in a little more detail where and how exactly you are trying to add the ownCloud server to AD.
Cheers,

artken · January 7, 2020, 12:16pm

Steps to reproduce

1.Install Appliance
2.During installation, ad to Active Directory domain
3.Error while adding server with non Domain Admin user

Expected behaviour

It need to be not only Domain Admin adding to active directory domain.

Actual behaviour

Instalation shows error, and told that user isn’t in Domain Admin group, so it sees domain normally.

Server configuration

Operating system:

Web server:

Database:

PHP version:

ownCloud version: 10.2.1

Updated from an older ownCloud or fresh install:

**Where did you install ownCloud from: VMWare virtual appliance

Signing status (ownCloud 9.0 and above):

Login as admin user into your ownCloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results into https://gist.github.com/ and puth the link here.
Product isn't installed jet, because I cannot add it to domain.


**The content of config/config.php:**

Log in to the web-UI with an administrator account and click on
‘admin’ -> ‘Generate Config Report’ -> ‘Download ownCloud config report’
This report includes the config.php settings, the list of activated apps
and other details in a well sanitized form.

Cannot see because server isn’t installed

or

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

ATTENTION: Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove all host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.


**List of activated apps:**

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your ownCloud installation folder.


**Are you using external storage, if yes which one:** local/smb/sftp/...

**Are you using encryption:** yes/no

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...

eneubauer · January 7, 2020, 12:28pm

Hi, thanks for that.
Are you sure it’s possible to add a computer to an AD without domain admin privileges?

It is generally not recommended to join the UCS to the AD, as it has no advantages over simply adding LDAP user authentication against AD from within ownCloud.

Please have a look at the ownCloud LDAP app configuration guide in the ownCloud docs

artken · January 7, 2020, 1:52pm

Yes, I am sure that I can add workstations and servers without domain admin account.
Also I tried to use LDAP user, but usually I have error:

Application to work with LDAP is standart in owncloud installation called: “LDAP Integration” version 0.13.0.

I go to User Authentication
push “+” button to add one more domain to authenticate,
add my domain controller IP address and 389 port for that.
add CN where my user is located “non Domain Admin” “CN=owncloud,CN=Users,DC=xxx,DC=xxx”
add password in password place
Use for base DN - “OU=Users,OU=xxx,DC=xxx,DC=xxx”

I got error Configuration incomplete, and if I use Test Base DN button, error is : “LDAP Operations error
The Base DN appears to be wrong”.

So here I cannot work with domain too.
Maybe there are some limitation, that user must be in Domain Admins group, but this is wrong. I don’t know.

eneubauer · January 7, 2020, 3:19pm

The user_ldap app can have some problems that are very hard to reproduce. I’ve had some problems once with the connection that were solved by writing the user account in a different format like so:
owncloud@domain.tld

It can be helpful to construct ldapsearch commands to figure out the correct values for the user_ldap app.

artken · January 8, 2020, 6:29am

Thank you! It helped for us. I will write this to tehnical support, to add to documentation.

Have a nice day.