Hello everybody,
I can confirm also that after implement my Samba4 Active Directory
emulation and add it to my engine it works fine. I can add users to my
Samba4 and after that I can grant the permission in my engine webadmin
portal and use my VMs. Now, as I told before I will try to create a process
to import my OpenLDAP users to this Samba 4.0.6 to be able to use the ovirt
by the students.
Many thanks.
Juanjo.
On Mon, Jul 1, 2013 at 1:56 PM, Juan Jose <jj197005(a)gmail.com> wrote:
Hello everybody,
Thanks Gianluca for share your experience. I have now installed and
configured a Samba 4.0.6 over Debian 7 Stable distro and I'm in the step of
importing all my users from my production OpenLDAP + Samba 3 server to this
new server which it's now working. After that I want join it to my oVirt
engine. I will share too my experience when I have the system all working.
Thanks again,
Juanjo.
On Fri, Jun 28, 2013 at 4:44 PM, Charlie <medievalist(a)gmail.com> wrote:
> Excellent, Gianluca, thanks for sharing the information!
> --Charlie
>
>
> On Fri, Jun 28, 2013 at 10:19 AM, Gianluca Cecchi <
> gianluca.cecchi(a)gmail.com> wrote:
>
>> Hello,
>> in the past there were some threads related to this subject.
>> Today I successfully connected my oVirt 3.2.2 (installed on f18 with
>> ovirt-repo) to a CentOS 6 samba4 server.
>>
>> Basically I followed this nice page for CentOS 6 with the difference
>> that I downloaded and compiled 4.0.6 version of Samba instead of
>> 4.0.0:
>>
>>
http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
>>
>> One important thing is that I had to put samba4 server ip in
>> resolv.conf as the first for my engine.
>> But in my case this was not a problem because samba4 is then
>> configured with the original corporate dns as forwarder, so all is ok
>> for me
>>
>> Some commands' output
>>
>> [root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain
>> provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX'
>> --server-role=dc --dns-backend=BIND9_DLZ
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Adding DomainDN: DC=ovtest,DC=local
>> Adding configuration container
>> Setting up sam.ldb schema
>> Setting up sam.ldb configuration data
>> Setting up display specifiers
>> Modifying display specifiers
>> Adding users container
>> Modifying users container
>> Adding computers container
>> Modifying computers container
>> Setting up sam.ldb data
>> Setting up well known security principals
>> Setting up sam.ldb users and groups
>> Setting up self join
>> Adding DNS accounts
>> Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local
>> Creating DomainDnsZones and ForestDnsZones partitions
>> Populating DomainDnsZones and ForestDnsZones partitions
>> See /usr/local/samba/private/named.conf for an example configuration
>> include file for BIND
>> and /usr/local/samba/private/named.txt for further documentation
>> required for secure DNS updates
>> Setting up sam.ldb rootDSE marking as synchronized
>> Fixing provision GUIDs
>> A Kerberos configuration suitable for Samba 4 has been generated at
>> /usr/local/samba/private/krb5.conf
>> Once the above files are installed, your Samba4 server will be ready to
>> use
>> Server Role: active directory domain controller
>> Hostname: c6dc
>> NetBIOS Domain: OVTEST
>> DNS Domain: ovtest.local
>> DOMAIN SID: S-1-5-21-4186344073-955232896-1764362378
>>
>>
>> [root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom
>> wrote key file "/etc/rndc.key"
>>
>>
>> - tests
>> (see also
>>
http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domai...
>> )
>>
>> [root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U%
>> Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]
>>
>> Sharename Type Comment
>> --------- ---- -------
>> netlogon Disk
>> sysvol Disk
>> IPC$ IPC IPC Service (Samba 4.0.6)
>> Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]
>>
>> Server Comment
>> --------- -------
>>
>> Workgroup Master
>> --------- -------
>>
>> [root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local.
>> _ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local.
>>
>> [root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local.
>> _kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local.
>>
>>
>> [root@c6dc ntp-4.2.6p5]# kinit administrator(a)OVTEST.LOCAL
>> Password for administrator(a)OVTEST.LOCAL:
>> Warning: Your password will expire in 41 days on Fri Aug 9 13:30:59 2013
>>
>> [root@c6dc ntp-4.2.6p5]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator(a)OVTEST.LOCAL
>>
>> Valid starting Expires Service principal
>> 06/28/13 14:55:11 06/29/13 00:55:11 krbtgt/OVTEST.LOCAL(a)OVTEST.LOCAL
>> renew until 07/05/13 14:55:08
>>
>> Users' mgmt can be done from windows with Samba AD management tools
>> see:
http://wiki.samba.org/index.php/Samba_AD_management_from_windows
>>
>> I managed from linux
>> see:
http://wiki.samba.org/index.php/Adding_users_with_samba_tool
>>
>> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add
>> OVIRTADM
>> New Password:
>> Retype Password:
>> User 'OVIRTADM' created successfully
>>
>> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid
>> OVIRTADM
>> S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1)
>>
>> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid
>> S-1-5-21-4186344073-955232896-1764362378-1104
>> 3000016
>>
>> I missed givenName and sn in user creation....
>> Unfortunately there is a only proposed patch for an "edit" subcommand
>> but is not inside yet.
>>
>>
http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subco...
>>
>> See also:
>>
https://wiki.samba.org/index.php/Samba4/LDBIntro
>>
>> To modify users' attributes I used this:
>> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H
>> /usr/local/samba/private/idmap.ldb
>> objectsid=S-1-5-21-4186344073-955232896-1764362378-1104
>>
>> here you enter into a vi session....
>>
>> # editing 1 records
>> # record 1
>> dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104
>> cn: S-1-5-21-4186344073-955232896-1764362378-1104
>> objectClass: sidMap
>> objectSid: S-1-5-21-4186344073-955232896-1764362378-1104
>> type: ID_TYPE_BOTH
>> xidNumber: 3000016
>> givenName: oVirt <---- added
>> sn: Admin <---- added
>> distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104
>>
>>
>> [root@c6dc ntp-4.2.6p5]# kinit ovirtadm(a)OVTEST.LOCAL
>> Password for ovirtadm(a)OVTEST.LOCAL:
>> Warning: Your password will expire in 41 days on Fri Aug 9 15:05:45 2013
>>
>> [root@c6dc ntp-4.2.6p5]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ovirtadm(a)OVTEST.LOCAL
>>
>> Valid starting Expires Service principal
>> 06/28/13 15:12:30 06/29/13 01:12:30 krbtgt/OVTEST.LOCAL(a)OVTEST.LOCAL
>> renew until 07/05/13 15:12:27
>>
>>
>> Without putting samba4 ip in resolv.conf of engine I got this error
>>
>> [root@f18engine ~]# engine-manage-domains -action=add
>> -domain='OVTEST.LOCAL' -provider=ActiveDirectory
-user='ovirtadm'
>> -interactive
>> No LDAP servers can be obtained for domain ovtest.local
>>
>> Now
>> [root@f18engine ~]# engine-manage-domains -action=add
>> -domain='OVTEST.LOCAL' -provider=ActiveDirectory
-user='ovirtadm'
>> -interactive
>> Enter password:
>>
>> The domain ovtest.local has been added to the engine as an
>> authentication source but no users from that domain have been granted
>> permissions within the oVirt Manager.
>> Users from this domain can be granted permissions from the Web
>> administration interface.
>> oVirt Engine restart is required in order for the changes to take
>> place (service ovirt-engine restart).
>> Manage Domains completed successfully
>>
>> restart engine with
>>
>> systemctl restart ovirt-engine
>>
>> Then I added the user to ovirt in webadmin gui:
>>
>> Configure --> System Permissions --> Add
>> Selected ovirtadm and its domain ovtest.local and give him SuperUser role
>>
>> Tried to successfully connect to Webadmin Gui and create one VM as a test
>>
>> HIH others.
>>
>> I'm going to see if this works with VMware too....
>>
>> Gianluca
>> _______________________________________________
>> Users mailing list
>> Users(a)ovirt.org
>>
http://lists.ovirt.org/mailman/listinfo/users
>>
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/users
>
>