Hi Thiago,

Like for the Windows case, where we have Heat templates for AD DC and other 
MSFT related workloads (Exchange, SQL Server, SharePoint, etc) [1], the best 
place in OpenStack for Samba 4 DC is a dedicated Heat template.

Heat is the de facto workload orchestration standard for OpenStack, so I'd 
definitely start from there.

Said that, Keystone has AD support via LDAP. It'd be great to see some 
documentation for using a Samba 4 DC in place of a Windows DC.

Another area of interaction for Samba 4 is Cinder: we have code under review 
for exporting volumes over SMB, useful for Hyper-V compute nodes and other 
scenarios. [2]

Talking about Nova, in large deployments using Hyper-V compute nodes it's 
common to manage credentials with domain membership, quite useful for live 
migration in particular. I'd like to document the usage of a Samba 4 AD DC in 
this context, although the last time I tried I had issues with Kerberos 
delegation, required for live migration. Quite some time passed, so it's 
definitely worth giving it another try.

Slightly outside of the OpenStack territory (but still correlated to it) I'd 
consider also Ubuntu Juju for the fact that it's possible to create 
relationships based on a Samba 4 DC charm and any other charm that needs domain 
membership. We have charms for Windows AD, it'd be great to add a Samba 4 as an 
alternative.

Thanks,

Alessandro

[1] https://github.com/cloudbase/windows-heat-templates

[2] https://blueprints.launchpad.net/cinder/+spec/smbfs-volume-driver

On 16.08.2014, at 22:12, "Martinx - ジェームズ" 
<thiagocmarti...@gmail.com<mailto:thiagocmarti...@gmail.com>> wrote:

Hey Stackers,

 I'm wondering here... Samba4 is pretty solid (up coming 4.2 rocks), I'm using 
it on a daily basis as an AD DC controller, for both Windows and Linux 
Instances! With replication, file system ACLs - cifs, built-in LDAP, dynamic 
DNS with Bind9 as a backend (no netbios) and etc... Pretty cool!

 In OpenStack ecosystem, there are awesome solutions like Trove, Solum, 
Designate and etc... Amazing times BTW! So, why not try to integrate Samba4, 
working as an AD DC, within OpenStack itself?!

 If yes, then, what is the best way/approach to achieve this?!

 I mean, for SQL, we have Trove, for iSCSI, Cinder, Nova uses Libvirt... Don't 
you guys think that it is time to have an OpenStack project for LDAP too? And 
since Samba4 come with it, plus DNS, AD, Kerberos and etc, I think that it will 
be huge if we manage to integrate it with OpenStack.

 I think that it would be nice to have, for example: domains, users and groups 
management at Horizon, and each tenant with its own "Administrator" (not the 
Keystone "global" admin) (to mange its Samba4 domains), so, they will be able 
to fully manage its own account, while allowing Keystone to authenticate 
against these users...

 Also, maybe Designate can have support for it too! I don't know for sure...

 Today, I'm doing this "Samba integration" manually, I have an "external" 
Samba4, from OpenStack's point of view, then, each tenant/project, have its own 
DNS domains, when a instance boots up, I just need to do something like this 
(bootstrap):

--
echo "127.0.1.1 
instance-1.tenant-1.domain-1.com<http://instance-1.tenant-1.domain-1.com> 
instance-1" >> /etc/hosts
net ads join -U administrator
--

 To make this work, the instance just needs to use Samba4 AD DC as its Name 
Servers, configured at its /etc/resolv.conf, "delivered by DHCP Agent". The 
packages `samba-common-bin` and `krb5-user` are also required. Including a 
ready to use smb.conf file.

 Then, "ping 
instance-1.tenant-1.domain-1.com<http://instance-1.tenant-1.domain-1.com>" 
worldwide! It works for both IPv4 and IPv6!!

 Also, Samba4 works okay with Disjoint 
Namespaces<http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx>, 
so, each tenant can have one or more domains and subdomains! Like 
"*.realm.domain.com<http://realm.domain.com>, *.domain.com<http://domain.com>, 
*.cloud-net-1.domain.com<http://cloud-net-1.domain.com>, 
*.domain2.com<http://domain2.com>... All dynamic managed by Samba4 and Bind9!

 What about that?!

Cheers!
Thiago
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org<mailto:OpenStack-dev@lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to