Hello, in the past there were some threads related to this subject. Today I successfully connected my oVirt 3.2.2 (installed on f18 with ovirt-repo) to a CentOS 6 samba4 server.
Basically I followed this nice page for CentOS 6 with the difference that I downloaded and compiled 4.0.6 version of Samba instead of 4.0.0: http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ One important thing is that I had to put samba4 server ip in resolv.conf as the first for my engine. But in my case this was not a problem because samba4 is then configured with the original corporate dns as forwarder, so all is ok for me Some commands' output [root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX' --server-role=dc --dns-backend=BIND9_DLZ Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=ovtest,DC=local Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: c6dc NetBIOS Domain: OVTEST DNS Domain: ovtest.local DOMAIN SID: S-1-5-21-4186344073-955232896-1764362378 [root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom wrote key file "/etc/rndc.key" - tests (see also http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller) [root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U% Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.0.6) Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6] Server Comment --------- ------- Workgroup Master --------- ------- [root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local. _ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local. [root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local. _kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local. [root@c6dc ntp-4.2.6p5]# kinit administrator@OVTEST.LOCAL Password for administrator@OVTEST.LOCAL: Warning: Your password will expire in 41 days on Fri Aug 9 13:30:59 2013 [root@c6dc ntp-4.2.6p5]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@OVTEST.LOCAL Valid starting Expires Service principal 06/28/13 14:55:11 06/29/13 00:55:11 krbtgt/OVTEST.LOCAL@OVTEST.LOCAL renew until 07/05/13 14:55:08 Users' mgmt can be done from windows with Samba AD management tools see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows I managed from linux see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add OVIRTADM New Password: Retype Password: User 'OVIRTADM' created successfully [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid OVIRTADM S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1) [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid S-1-5-21-4186344073-955232896-1764362378-1104 3000016 I missed givenName and sn in user creation.... Unfortunately there is a only proposed patch for an "edit" subcommand but is not inside yet. http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html See also: https://wiki.samba.org/index.php/Samba4/LDBIntro To modify users' attributes I used this: [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H /usr/local/samba/private/idmap.ldb objectsid=S-1-5-21-4186344073-955232896-1764362378-1104 here you enter into a vi session.... # editing 1 records # record 1 dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104 cn: S-1-5-21-4186344073-955232896-1764362378-1104 objectClass: sidMap objectSid: S-1-5-21-4186344073-955232896-1764362378-1104 type: ID_TYPE_BOTH xidNumber: 3000016 givenName: oVirt <---- added sn: Admin <---- added distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104 [root@c6dc ntp-4.2.6p5]# kinit ovirtadm@OVTEST.LOCAL Password for ovirtadm@OVTEST.LOCAL: Warning: Your password will expire in 41 days on Fri Aug 9 15:05:45 2013 [root@c6dc ntp-4.2.6p5]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ovirtadm@OVTEST.LOCAL Valid starting Expires Service principal 06/28/13 15:12:30 06/29/13 01:12:30 krbtgt/OVTEST.LOCAL@OVTEST.LOCAL renew until 07/05/13 15:12:27 Without putting samba4 ip in resolv.conf of engine I got this error [root@f18engine ~]# engine-manage-domains -action=add -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm' -interactive No LDAP servers can be obtained for domain ovtest.local Now [root@f18engine ~]# engine-manage-domains -action=add -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm' -interactive Enter password: The domain ovtest.local has been added to the engine as an authentication source but no users from that domain have been granted permissions within the oVirt Manager. Users from this domain can be granted permissions from the Web administration interface. oVirt Engine restart is required in order for the changes to take place (service ovirt-engine restart). Manage Domains completed successfully restart engine with systemctl restart ovirt-engine Then I added the user to ovirt in webadmin gui: Configure --> System Permissions --> Add Selected ovirtadm and its domain ovtest.local and give him SuperUser role Tried to successfully connect to Webadmin Gui and create one VM as a test HIH others. I'm going to see if this works with VMware too.... Gianluca _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users