Re: [openstack-dev] Time to Samba! :-)
On Mon, 2014-08-18 at 07:27 +, Alessandro Pilotti wrote: Hi Thiago, Like for the Windows case, where we have Heat templates for AD DC and other MSFT related workloads (Exchange, SQL Server, SharePoint, etc) [1], the best place in OpenStack for Samba 4 DC is a dedicated Heat template. Heat is the de facto workload orchestration standard for OpenStack, so I'd definitely start from there. Interesting. How do you see this compared to doing it in Murano? (In any case, I'm happy to help anyone working on this, no matter the layer). Said that, Keystone has AD support via LDAP. It'd be great to see some documentation for using a Samba 4 DC in place of a Windows DC. Another area of interaction for Samba 4 is Cinder: we have code under review for exporting volumes over SMB, useful for Hyper-V compute nodes and other scenarios. [2] Samba currently can't support HyperV as a SMB server due to a limitation in our SMB3 support: https://bugzilla.samba.org/show_bug.cgi?id=9938 However, we are making progress on 'Leases', which I understand is part of required solution here. Talking about Nova, in large deployments using Hyper-V compute nodes it's common to manage credentials with domain membership, quite useful for live migration in particular. I'd like to document the usage of a Samba 4 AD DC in this context, although the last time I tried I had issues with Kerberos delegation, required for live migration. Quite some time passed, so it's definitely worth giving it another try. If you have specific, reproducible issues with our KDC blocking Samba's use in OpenStack and are able to work with me to test the solution, please bring them to my personal attention. I am very happy to address specific use cases, and this one in particular means a lot to me. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Time to Samba! :-)
On Sun, 2014-08-17 at 13:05 +0400, Ruslan Kamaldinov wrote: On Sun, Aug 17, 2014 at 4:16 AM, Adam Lawson alaw...@aqorn.com wrote: Doesn't Murano address this already? Please note that Murano is no longer a windows-as-a-service or smth-as-a-serivce. Murano is an application catalog [1]. But you're absolutely right, this is a perfect use case for Murano - application developer can describe those applications and publish them in catalog, which will enable cloud users to combine those apps together. LDAP, Kerberos, Samba, ActiveDirectory - are applications in terms of Murano. [1] https://wiki.openstack.org/wiki/Murano G'Day, Indeed, I think Murano may well be the natural home of Samba deployed as an AD DC, inside a tenant. I reached out to the Murano team a few months ago, but haven't have any time to put into development of a Samba AD DC application yet. I work for Catalyst in NZ, and lurk here and quite close to our internal OpenStack team. I think OpenStack is a great opportunity for Samba and Samba is a great fit for OpenStack, particularly when we look at the emerging market of Desktop as Service, things like hosted Exchange (or more particularly OpenChange), and single-sign-on from the Windows-dominated enterprise. What I would like to do is to work closely with someone already more familiar with the OpenStack world, and provide my expertise and assistance to that existing effort. I also think that Samba does justify being beyond just being an application in Murano, because for the best results, Samba should be used, but not administered directly. Instead, what would bring the best out of Samba is deployment like in Trove, where the Tenant does not get rights to directly touch the instance - operation of the AD DC should be by OpenStack, not the end-user. Finally, yes Samba certainly plays a role in Manila, and while currently very well hidden, I think that some really great functionality can be exposed via the 'generic' driver that would be far from generic. Imagine if that driver 'just worked' with exposed snapshots via the windows 'previous versions' tab, for example. Or, imagine if we used the OpenStack machine credentials to securely get a Kerberos ticket for access to a big multi-tenant file share? As I mention, I do lurk here, but also feel free to contact me directly or the Samba lists if you are implementing Samba as an OpenStack service, and you think I can help, or think I've missed some discussion. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Time to Samba! :-)
On Sun, 2014-08-17 at 13:00 +0400, Stan Lagun wrote: This can be addressed by Murano only if its deployed to the cloud (on VM belonging to some tenant). Having it on OpenStack service layer integrated with major OpenStack services sounds very promising. The problem I see is significant overlap with Keystone, especially in Kerberos and LDAP parts I do agree that Samba belongs, for many use cases, in the OpenStack service layer. I'm very interested to understand how you see it overlapping with Keystone - both for my understanding and for possible integration or assistance. Samba's user database I think mostly pertains to the users in a tenant (even if not managed by that tenant), wheras I understand Keystone is typically the VMs and their administrators. For those there is some overlap, but not one I think should cause us a major issue, but I'm very interested to learn more. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
