[Users] oVirt 3.2.2 successfully connected to Samba4

28 Jun 2013

      Hello,
in the past there were some threads related to this subject.
Today I successfully connected my oVirt 3.2.2 (installed on f18 with
ovirt-repo) to a CentOS 6 samba4 server.

Basically I followed this nice page for CentOS 6 with the difference
that I downloaded and compiled 4.0.6 version of Samba instead of
4.0.0:

http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/

One important thing is that I had to put samba4 server ip in
resolv.conf as the first for my engine.
But in my case this was not a problem because samba4 is then
configured with the original corporate dns as forwarder, so all is ok
for me

Some commands' output

[root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain
provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX'
--server-role=dc --dns-backend=BIND9_DLZ
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ovtest,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /usr/local/samba/private/named.conf for an example configuration
include file for BIND
and /usr/local/samba/private/named.txt for further documentation
required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              c6dc
NetBIOS Domain:        OVTEST
DNS Domain:            ovtest.local
DOMAIN SID:            S-1-5-21-4186344073-955232896-1764362378

[root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom
wrote key file "/etc/rndc.key"

- tests
(see also http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-c...)

[root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]

Sharename       Type      Comment
---------       ----      -------
netlogon        Disk
sysvol          Disk
IPC$            IPC       IPC Service (Samba 4.0.6)
Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]

Server               Comment
---------            -------

Workgroup            Master
---------            -------

[root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local.
_ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local.

[root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local.
_kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local.

[root@c6dc ntp-4.2.6p5]# kinit administrator@OVTEST.LOCAL
Password for administrator@OVTEST.LOCAL:
Warning: Your password will expire in 41 days on Fri Aug  9 13:30:59 2013

[root@c6dc ntp-4.2.6p5]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@OVTEST.LOCAL

Valid starting     Expires            Service principal
06/28/13 14:55:11  06/29/13 00:55:11  krbtgt/OVTEST.LOCAL@OVTEST.LOCAL
renew until 07/05/13 14:55:08

Users' mgmt can be done from windows with Samba AD management tools
see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows

I managed from linux
see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool

[root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add OVIRTADM
New Password:
Retype Password:
User 'OVIRTADM' created successfully

[root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid OVIRTADM
S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1)

[root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid
S-1-5-21-4186344073-955232896-1764362378-1104
3000016

I missed givenName and sn in user creation....
Unfortunately there is a only proposed patch for an "edit" subcommand
but is not inside yet.
http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcomma...

See also:
https://wiki.samba.org/index.php/Samba4/LDBIntro

To modify users' attributes I used this:
[root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-4186344073-955232896-1764362378-1104

here you enter into a vi session....

# editing 1 records
# record 1
dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104
cn: S-1-5-21-4186344073-955232896-1764362378-1104
objectClass: sidMap
objectSid: S-1-5-21-4186344073-955232896-1764362378-1104
type: ID_TYPE_BOTH
xidNumber: 3000016
givenName: oVirt <---- added
sn: Admin <---- added
distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104

[root@c6dc ntp-4.2.6p5]# kinit ovirtadm@OVTEST.LOCAL
Password for ovirtadm@OVTEST.LOCAL:
Warning: Your password will expire in 41 days on Fri Aug  9 15:05:45 2013

[root@c6dc ntp-4.2.6p5]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ovirtadm@OVTEST.LOCAL

Valid starting     Expires            Service principal
06/28/13 15:12:30  06/29/13 01:12:30  krbtgt/OVTEST.LOCAL@OVTEST.LOCAL
renew until 07/05/13 15:12:27

Without putting samba4 ip in resolv.conf of engine I got this error

[root@f18engine ~]# engine-manage-domains -action=add
-domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'
-interactive
No LDAP servers can be obtained for domain ovtest.local

Now
[root@f18engine ~]# engine-manage-domains -action=add
-domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'
-interactive
Enter password:

The domain ovtest.local has been added to the engine as an
authentication source but no users from that domain have been granted
permissions within the oVirt Manager.
Users from this domain can be granted permissions from the Web
administration interface.
oVirt Engine restart is required in order for the changes to take
place (service ovirt-engine restart).
Manage Domains completed successfully

restart engine with

systemctl restart ovirt-engine

Then I added the user to ovirt in webadmin gui:

Configure --> System Permissions --> Add
Selected ovirtadm and its domain ovtest.local and give him SuperUser role

Tried to successfully connect to Webadmin Gui and create one VM as a test

HIH others.

I'm going to see if this works with VMware too....

Gianluca

Gianluca Cecchi

Charlie

Juan Jose

Juan Jose

Karli Sjöberg

tags

participants (4)