[Users] oVirt 3.2.2 successfully connected to Samba4
Gianluca Cecchi
gianluca.cecchi at gmail.com
Fri Jun 28 14:19:49 UTC 2013
Hello,
in the past there were some threads related to this subject.
Today I successfully connected my oVirt 3.2.2 (installed on f18 with
ovirt-repo) to a CentOS 6 samba4 server.
Basically I followed this nice page for CentOS 6 with the difference
that I downloaded and compiled 4.0.6 version of Samba instead of
4.0.0:
http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
One important thing is that I had to put samba4 server ip in
resolv.conf as the first for my engine.
But in my case this was not a problem because samba4 is then
configured with the original corporate dns as forwarder, so all is ok
for me
Some commands' output
[root at c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain
provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX'
--server-role=dc --dns-backend=BIND9_DLZ
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ovtest,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /usr/local/samba/private/named.conf for an example configuration
include file for BIND
and /usr/local/samba/private/named.txt for further documentation
required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: c6dc
NetBIOS Domain: OVTEST
DNS Domain: ovtest.local
DOMAIN SID: S-1-5-21-4186344073-955232896-1764362378
[root at c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom
wrote key file "/etc/rndc.key"
- tests
(see also http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller)
[root at c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.6)
Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]
Server Comment
--------- -------
Workgroup Master
--------- -------
[root at c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local.
_ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local.
[root at c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local.
_kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local.
[root at c6dc ntp-4.2.6p5]# kinit administrator at OVTEST.LOCAL
Password for administrator at OVTEST.LOCAL:
Warning: Your password will expire in 41 days on Fri Aug 9 13:30:59 2013
[root at c6dc ntp-4.2.6p5]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at OVTEST.LOCAL
Valid starting Expires Service principal
06/28/13 14:55:11 06/29/13 00:55:11 krbtgt/OVTEST.LOCAL at OVTEST.LOCAL
renew until 07/05/13 14:55:08
Users' mgmt can be done from windows with Samba AD management tools
see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows
I managed from linux
see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool
[root at c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add OVIRTADM
New Password:
Retype Password:
User 'OVIRTADM' created successfully
[root at c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid OVIRTADM
S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1)
[root at c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid
S-1-5-21-4186344073-955232896-1764362378-1104
3000016
I missed givenName and sn in user creation....
Unfortunately there is a only proposed patch for an "edit" subcommand
but is not inside yet.
http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html
See also:
https://wiki.samba.org/index.php/Samba4/LDBIntro
To modify users' attributes I used this:
[root at c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H
/usr/local/samba/private/idmap.ldb
objectsid=S-1-5-21-4186344073-955232896-1764362378-1104
here you enter into a vi session....
# editing 1 records
# record 1
dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104
cn: S-1-5-21-4186344073-955232896-1764362378-1104
objectClass: sidMap
objectSid: S-1-5-21-4186344073-955232896-1764362378-1104
type: ID_TYPE_BOTH
xidNumber: 3000016
givenName: oVirt <---- added
sn: Admin <---- added
distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104
[root at c6dc ntp-4.2.6p5]# kinit ovirtadm at OVTEST.LOCAL
Password for ovirtadm at OVTEST.LOCAL:
Warning: Your password will expire in 41 days on Fri Aug 9 15:05:45 2013
[root at c6dc ntp-4.2.6p5]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ovirtadm at OVTEST.LOCAL
Valid starting Expires Service principal
06/28/13 15:12:30 06/29/13 01:12:30 krbtgt/OVTEST.LOCAL at OVTEST.LOCAL
renew until 07/05/13 15:12:27
Without putting samba4 ip in resolv.conf of engine I got this error
[root at f18engine ~]# engine-manage-domains -action=add
-domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'
-interactive
No LDAP servers can be obtained for domain ovtest.local
Now
[root at f18engine ~]# engine-manage-domains -action=add
-domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'
-interactive
Enter password:
The domain ovtest.local has been added to the engine as an
authentication source but no users from that domain have been granted
permissions within the oVirt Manager.
Users from this domain can be granted permissions from the Web
administration interface.
oVirt Engine restart is required in order for the changes to take
place (service ovirt-engine restart).
Manage Domains completed successfully
restart engine with
systemctl restart ovirt-engine
Then I added the user to ovirt in webadmin gui:
Configure --> System Permissions --> Add
Selected ovirtadm and its domain ovtest.local and give him SuperUser role
Tried to successfully connect to Webadmin Gui and create one VM as a test
HIH others.
I'm going to see if this works with VMware too....
Gianluca
More information about the Users
mailing list