[Users] oVirt 3.2.2 successfully connected to Samba4

Juan Jose jj197005 at gmail.com
Fri Jul 12 11:56:27 UTC 2013


Hello everybody,

I can confirm also that after implement my Samba4 Active Directory
emulation and add it to my engine it works fine. I can add users to my
Samba4 and after that I can grant the permission in my engine webadmin
portal and use my VMs. Now, as I told before I will try to create a process
to import my OpenLDAP users to this Samba 4.0.6 to be able to use the ovirt
by the students.

Many thanks.

Juanjo.


On Mon, Jul 1, 2013 at 1:56 PM, Juan Jose <jj197005 at gmail.com> wrote:

> Hello everybody,
>
> Thanks Gianluca for share your experience. I have now installed and
> configured a Samba 4.0.6 over Debian 7 Stable distro and I'm in the step of
> importing all my users from my production OpenLDAP + Samba 3 server to this
> new server which it's now working. After that I want join it to my oVirt
> engine. I will share too my experience when I have the system all working.
>
> Thanks again,
>
> Juanjo.
>
>
> On Fri, Jun 28, 2013 at 4:44 PM, Charlie <medievalist at gmail.com> wrote:
>
>> Excellent, Gianluca, thanks for sharing the information!
>> --Charlie
>>
>>
>> On Fri, Jun 28, 2013 at 10:19 AM, Gianluca Cecchi <
>> gianluca.cecchi at gmail.com> wrote:
>>
>>> Hello,
>>> in the past there were some threads related to this subject.
>>> Today I successfully connected my oVirt 3.2.2 (installed on f18 with
>>> ovirt-repo) to a CentOS 6 samba4 server.
>>>
>>> Basically I followed this nice page for CentOS 6 with the difference
>>> that I downloaded and compiled 4.0.6 version of Samba instead of
>>> 4.0.0:
>>>
>>> http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
>>>
>>> One important thing is that I had to put samba4 server ip in
>>> resolv.conf as the first for my engine.
>>> But in my case this was not a problem because samba4 is then
>>> configured with the original corporate dns as forwarder, so all is ok
>>> for me
>>>
>>> Some commands' output
>>>
>>> [root at c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain
>>> provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX'
>>> --server-role=dc --dns-backend=BIND9_DLZ
>>> Looking up IPv4 addresses
>>> Looking up IPv6 addresses
>>> No IPv6 address will be assigned
>>> Setting up secrets.ldb
>>> Setting up the registry
>>> Setting up the privileges database
>>> Setting up idmap db
>>> Setting up SAM db
>>> Setting up sam.ldb partitions and settings
>>> Setting up sam.ldb rootDSE
>>> Pre-loading the Samba 4 and AD schema
>>> Adding DomainDN: DC=ovtest,DC=local
>>> Adding configuration container
>>> Setting up sam.ldb schema
>>> Setting up sam.ldb configuration data
>>> Setting up display specifiers
>>> Modifying display specifiers
>>> Adding users container
>>> Modifying users container
>>> Adding computers container
>>> Modifying computers container
>>> Setting up sam.ldb data
>>> Setting up well known security principals
>>> Setting up sam.ldb users and groups
>>> Setting up self join
>>> Adding DNS accounts
>>> Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local
>>> Creating DomainDnsZones and ForestDnsZones partitions
>>> Populating DomainDnsZones and ForestDnsZones partitions
>>> See /usr/local/samba/private/named.conf for an example configuration
>>> include file for BIND
>>> and /usr/local/samba/private/named.txt for further documentation
>>> required for secure DNS updates
>>> Setting up sam.ldb rootDSE marking as synchronized
>>> Fixing provision GUIDs
>>> A Kerberos configuration suitable for Samba 4 has been generated at
>>> /usr/local/samba/private/krb5.conf
>>> Once the above files are installed, your Samba4 server will be ready to
>>> use
>>> Server Role:           active directory domain controller
>>> Hostname:              c6dc
>>> NetBIOS Domain:        OVTEST
>>> DNS Domain:            ovtest.local
>>> DOMAIN SID:            S-1-5-21-4186344073-955232896-1764362378
>>>
>>>
>>> [root at c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom
>>> wrote key file "/etc/rndc.key"
>>>
>>>
>>> - tests
>>> (see also
>>> http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
>>> )
>>>
>>> [root at c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U%
>>> Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]
>>>
>>> Sharename       Type      Comment
>>> ---------       ----      -------
>>> netlogon        Disk
>>> sysvol          Disk
>>> IPC$            IPC       IPC Service (Samba 4.0.6)
>>> Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]
>>>
>>> Server               Comment
>>> ---------            -------
>>>
>>> Workgroup            Master
>>> ---------            -------
>>>
>>> [root at c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local.
>>> _ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local.
>>>
>>> [root at c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local.
>>> _kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local.
>>>
>>>
>>> [root at c6dc ntp-4.2.6p5]# kinit administrator at OVTEST.LOCAL
>>> Password for administrator at OVTEST.LOCAL:
>>> Warning: Your password will expire in 41 days on Fri Aug  9 13:30:59 2013
>>>
>>> [root at c6dc ntp-4.2.6p5]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: administrator at OVTEST.LOCAL
>>>
>>> Valid starting     Expires            Service principal
>>> 06/28/13 14:55:11  06/29/13 00:55:11  krbtgt/OVTEST.LOCAL at OVTEST.LOCAL
>>> renew until 07/05/13 14:55:08
>>>
>>> Users' mgmt can be done from windows with Samba AD management tools
>>> see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows
>>>
>>> I managed from linux
>>> see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool
>>>
>>> [root at c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add
>>> OVIRTADM
>>> New Password:
>>> Retype Password:
>>> User 'OVIRTADM' created successfully
>>>
>>> [root at c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid
>>> OVIRTADM
>>> S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1)
>>>
>>> [root at c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid
>>> S-1-5-21-4186344073-955232896-1764362378-1104
>>> 3000016
>>>
>>> I missed givenName and sn in user creation....
>>> Unfortunately there is a only proposed patch for an "edit" subcommand
>>> but is not inside yet.
>>>
>>> http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html
>>>
>>> See also:
>>> https://wiki.samba.org/index.php/Samba4/LDBIntro
>>>
>>> To modify users' attributes I used this:
>>> [root at c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H
>>> /usr/local/samba/private/idmap.ldb
>>> objectsid=S-1-5-21-4186344073-955232896-1764362378-1104
>>>
>>> here you enter into a vi session....
>>>
>>> # editing 1 records
>>> # record 1
>>> dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104
>>> cn: S-1-5-21-4186344073-955232896-1764362378-1104
>>> objectClass: sidMap
>>> objectSid: S-1-5-21-4186344073-955232896-1764362378-1104
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000016
>>> givenName: oVirt <---- added
>>> sn: Admin <---- added
>>> distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104
>>>
>>>
>>> [root at c6dc ntp-4.2.6p5]# kinit ovirtadm at OVTEST.LOCAL
>>> Password for ovirtadm at OVTEST.LOCAL:
>>> Warning: Your password will expire in 41 days on Fri Aug  9 15:05:45 2013
>>>
>>> [root at c6dc ntp-4.2.6p5]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: ovirtadm at OVTEST.LOCAL
>>>
>>> Valid starting     Expires            Service principal
>>> 06/28/13 15:12:30  06/29/13 01:12:30  krbtgt/OVTEST.LOCAL at OVTEST.LOCAL
>>> renew until 07/05/13 15:12:27
>>>
>>>
>>> Without putting samba4 ip in resolv.conf of engine I got this error
>>>
>>> [root at f18engine ~]# engine-manage-domains -action=add
>>> -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'
>>> -interactive
>>> No LDAP servers can be obtained for domain ovtest.local
>>>
>>> Now
>>> [root at f18engine ~]# engine-manage-domains -action=add
>>> -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'
>>> -interactive
>>> Enter password:
>>>
>>> The domain ovtest.local has been added to the engine as an
>>> authentication source but no users from that domain have been granted
>>> permissions within the oVirt Manager.
>>> Users from this domain can be granted permissions from the Web
>>> administration interface.
>>> oVirt Engine restart is required in order for the changes to take
>>> place (service ovirt-engine restart).
>>> Manage Domains completed successfully
>>>
>>> restart engine with
>>>
>>> systemctl restart ovirt-engine
>>>
>>> Then I added the user to ovirt in webadmin gui:
>>>
>>> Configure --> System Permissions --> Add
>>> Selected ovirtadm and its domain ovtest.local and give him SuperUser role
>>>
>>> Tried to successfully connect to Webadmin Gui and create one VM as a test
>>>
>>> HIH others.
>>>
>>> I'm going to see if this works with VMware too....
>>>
>>> Gianluca
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
>>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20130712/9a822087/attachment-0001.html>


More information about the Users mailing list