<div dir="ltr"><div>Hello everybody,<br></div><div><br></div><div>I can confirm also that after implement my Samba4 Active Directory emulation and add it to my engine it works fine. I can add users to my Samba4 and after that I can grant the permission in my engine webadmin portal and use my VMs. Now, as I told before I will try to create a process to import my OpenLDAP users to this Samba 4.0.6 to be able to use the ovirt by the students.</div>
<div><br></div><div>Many thanks.</div><div><br></div><div>Juanjo.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 1, 2013 at 1:56 PM, Juan Jose <span dir="ltr"><<a href="mailto:jj197005@gmail.com" target="_blank">jj197005@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hello everybody,<br></div><div><br></div><div>Thanks Gianluca for share your experience. I have now installed and configured a Samba 4.0.6 over Debian 7 Stable distro and I'm in the step of importing all my users from my production OpenLDAP + Samba 3 server to this new server which it's now working. After that I want join it to my oVirt engine. I will share too my experience when I have the system all working.</div>
<div><br></div><div>Thanks again,</div><div><br></div><div>Juanjo.</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 28, 2013 at 4:44 PM, Charlie <span dir="ltr"><<a href="mailto:medievalist@gmail.com" target="_blank">medievalist@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Excellent, Gianluca, thanks for sharing the information!<span><font color="#888888"><br>
</font></span></div><span><font color="#888888">--Charlie<br></font></span></div><div><div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 28, 2013 at 10:19 AM, Gianluca Cecchi <span dir="ltr"><<a href="mailto:gianluca.cecchi@gmail.com" target="_blank">gianluca.cecchi@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
in the past there were some threads related to this subject.<br>
Today I successfully connected my oVirt 3.2.2 (installed on f18 with<br>
ovirt-repo) to a CentOS 6 samba4 server.<br>
<br>
Basically I followed this nice page for CentOS 6 with the difference<br>
that I downloaded and compiled 4.0.6 version of Samba instead of<br>
4.0.0:<br>
<br>
<a href="http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/" target="_blank">http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/</a><br>
<br>
One important thing is that I had to put samba4 server ip in<br>
resolv.conf as the first for my engine.<br>
But in my case this was not a problem because samba4 is then<br>
configured with the original corporate dns as forwarder, so all is ok<br>
for me<br>
<br>
Some commands' output<br>
<br>
[root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain<br>
provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX'<br>
--server-role=dc --dns-backend=BIND9_DLZ<br>
Looking up IPv4 addresses<br>
Looking up IPv6 addresses<br>
No IPv6 address will be assigned<br>
Setting up secrets.ldb<br>
Setting up the registry<br>
Setting up the privileges database<br>
Setting up idmap db<br>
Setting up SAM db<br>
Setting up sam.ldb partitions and settings<br>
Setting up sam.ldb rootDSE<br>
Pre-loading the Samba 4 and AD schema<br>
Adding DomainDN: DC=ovtest,DC=local<br>
Adding configuration container<br>
Setting up sam.ldb schema<br>
Setting up sam.ldb configuration data<br>
Setting up display specifiers<br>
Modifying display specifiers<br>
Adding users container<br>
Modifying users container<br>
Adding computers container<br>
Modifying computers container<br>
Setting up sam.ldb data<br>
Setting up well known security principals<br>
Setting up sam.ldb users and groups<br>
Setting up self join<br>
Adding DNS accounts<br>
Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local<br>
Creating DomainDnsZones and ForestDnsZones partitions<br>
Populating DomainDnsZones and ForestDnsZones partitions<br>
See /usr/local/samba/private/named.conf for an example configuration<br>
include file for BIND<br>
and /usr/local/samba/private/named.txt for further documentation<br>
required for secure DNS updates<br>
Setting up sam.ldb rootDSE marking as synchronized<br>
Fixing provision GUIDs<br>
A Kerberos configuration suitable for Samba 4 has been generated at<br>
/usr/local/samba/private/krb5.conf<br>
Once the above files are installed, your Samba4 server will be ready to use<br>
Server Role: active directory domain controller<br>
Hostname: c6dc<br>
NetBIOS Domain: OVTEST<br>
DNS Domain: ovtest.local<br>
DOMAIN SID: S-1-5-21-4186344073-955232896-1764362378<br>
<br>
<br>
[root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom<br>
wrote key file "/etc/rndc.key"<br>
<br>
<br>
- tests<br>
(see also <a href="http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller" target="_blank">http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller</a>)<br>
<br>
[root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U%<br>
Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]<br>
<br>
Sharename Type Comment<br>
--------- ---- -------<br>
netlogon Disk<br>
sysvol Disk<br>
IPC$ IPC IPC Service (Samba 4.0.6)<br>
Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]<br>
<br>
Server Comment<br>
--------- -------<br>
<br>
Workgroup Master<br>
--------- -------<br>
<br>
[root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local.<br>
_ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local.<br>
<br>
[root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local.<br>
_kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local.<br>
<br>
<br>
[root@c6dc ntp-4.2.6p5]# kinit administrator@OVTEST.LOCAL<br>
Password for administrator@OVTEST.LOCAL:<br>
Warning: Your password will expire in 41 days on Fri Aug 9 13:30:59 2013<br>
<br>
[root@c6dc ntp-4.2.6p5]# klist<br>
Ticket cache: FILE:/tmp/krb5cc_0<br>
Default principal: administrator@OVTEST.LOCAL<br>
<br>
Valid starting Expires Service principal<br>
06/28/13 14:55:11 06/29/13 00:55:11 krbtgt/OVTEST.LOCAL@OVTEST.LOCAL<br>
renew until 07/05/13 14:55:08<br>
<br>
Users' mgmt can be done from windows with Samba AD management tools<br>
see: <a href="http://wiki.samba.org/index.php/Samba_AD_management_from_windows" target="_blank">http://wiki.samba.org/index.php/Samba_AD_management_from_windows</a><br>
<br>
I managed from linux<br>
see: <a href="http://wiki.samba.org/index.php/Adding_users_with_samba_tool" target="_blank">http://wiki.samba.org/index.php/Adding_users_with_samba_tool</a><br>
<br>
[root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add OVIRTADM<br>
New Password:<br>
Retype Password:<br>
User 'OVIRTADM' created successfully<br>
<br>
[root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid OVIRTADM<br>
S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1)<br>
<br>
[root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid<br>
S-1-5-21-4186344073-955232896-1764362378-1104<br>
3000016<br>
<br>
I missed givenName and sn in user creation....<br>
Unfortunately there is a only proposed patch for an "edit" subcommand<br>
but is not inside yet.<br>
<a href="http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html" target="_blank">http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html</a><br>
<br>
See also:<br>
<a href="https://wiki.samba.org/index.php/Samba4/LDBIntro" target="_blank">https://wiki.samba.org/index.php/Samba4/LDBIntro</a><br>
<br>
To modify users' attributes I used this:<br>
[root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H<br>
/usr/local/samba/private/idmap.ldb<br>
objectsid=S-1-5-21-4186344073-955232896-1764362378-1104<br>
<br>
here you enter into a vi session....<br>
<br>
# editing 1 records<br>
# record 1<br>
dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104<br>
cn: S-1-5-21-4186344073-955232896-1764362378-1104<br>
objectClass: sidMap<br>
objectSid: S-1-5-21-4186344073-955232896-1764362378-1104<br>
type: ID_TYPE_BOTH<br>
xidNumber: 3000016<br>
givenName: oVirt <---- added<br>
sn: Admin <---- added<br>
distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104<br>
<br>
<br>
[root@c6dc ntp-4.2.6p5]# kinit ovirtadm@OVTEST.LOCAL<br>
Password for ovirtadm@OVTEST.LOCAL:<br>
Warning: Your password will expire in 41 days on Fri Aug 9 15:05:45 2013<br>
<br>
[root@c6dc ntp-4.2.6p5]# klist<br>
Ticket cache: FILE:/tmp/krb5cc_0<br>
Default principal: ovirtadm@OVTEST.LOCAL<br>
<br>
Valid starting Expires Service principal<br>
06/28/13 15:12:30 06/29/13 01:12:30 krbtgt/OVTEST.LOCAL@OVTEST.LOCAL<br>
renew until 07/05/13 15:12:27<br>
<br>
<br>
Without putting samba4 ip in resolv.conf of engine I got this error<br>
<br>
[root@f18engine ~]# engine-manage-domains -action=add<br>
-domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'<br>
-interactive<br>
No LDAP servers can be obtained for domain ovtest.local<br>
<br>
Now<br>
[root@f18engine ~]# engine-manage-domains -action=add<br>
-domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'<br>
-interactive<br>
Enter password:<br>
<br>
The domain ovtest.local has been added to the engine as an<br>
authentication source but no users from that domain have been granted<br>
permissions within the oVirt Manager.<br>
Users from this domain can be granted permissions from the Web<br>
administration interface.<br>
oVirt Engine restart is required in order for the changes to take<br>
place (service ovirt-engine restart).<br>
Manage Domains completed successfully<br>
<br>
restart engine with<br>
<br>
systemctl restart ovirt-engine<br>
<br>
Then I added the user to ovirt in webadmin gui:<br>
<br>
Configure --> System Permissions --> Add<br>
Selected ovirtadm and its domain ovtest.local and give him SuperUser role<br>
<br>
Tried to successfully connect to Webadmin Gui and create one VM as a test<br>
<br>
HIH others.<br>
<br>
I'm going to see if this works with VMware too....<br>
<br>
Gianluca<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>