Excellent, Gianluca, thanks for sharing the information!
--Charlie

On Fri, Jun 28, 2013 at 10:19 AM, Gianluca Cecchi <gianluca.cec...@gmail.com
> wrote:

> Hello,
> in the past there were some threads related to this subject.
> Today I successfully connected my oVirt 3.2.2 (installed on f18 with
> ovirt-repo) to a CentOS 6 samba4 server.
>
> Basically I followed this nice page for CentOS 6 with the difference
> that I downloaded and compiled 4.0.6 version of Samba instead of
> 4.0.0:
>
> http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/
>
> One important thing is that I had to put samba4 server ip in
> resolv.conf as the first for my engine.
> But in my case this was not a problem because samba4 is then
> configured with the original corporate dns as forwarder, so all is ok
> for me
>
> Some commands' output
>
> [root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain
> provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX'
> --server-role=dc --dns-backend=BIND9_DLZ
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=ovtest,DC=local
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> See /usr/local/samba/private/named.conf for an example configuration
> include file for BIND
> and /usr/local/samba/private/named.txt for further documentation
> required for secure DNS updates
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba 4 has been generated at
> /usr/local/samba/private/krb5.conf
> Once the above files are installed, your Samba4 server will be ready to use
> Server Role:           active directory domain controller
> Hostname:              c6dc
> NetBIOS Domain:        OVTEST
> DNS Domain:            ovtest.local
> DOMAIN SID:            S-1-5-21-4186344073-955232896-1764362378
>
>
> [root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom
> wrote key file "/etc/rndc.key"
>
>
> - tests
> (see also
> http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
> )
>
> [root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U%
> Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]
>
> Sharename       Type      Comment
> ---------       ----      -------
> netlogon        Disk
> sysvol          Disk
> IPC$            IPC       IPC Service (Samba 4.0.6)
> Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6]
>
> Server               Comment
> ---------            -------
>
> Workgroup            Master
> ---------            -------
>
> [root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local.
> _ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local.
>
> [root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local.
> _kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local.
>
>
> [root@c6dc ntp-4.2.6p5]# kinit administrator@OVTEST.LOCAL
> Password for administrator@OVTEST.LOCAL:
> Warning: Your password will expire in 41 days on Fri Aug  9 13:30:59 2013
>
> [root@c6dc ntp-4.2.6p5]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator@OVTEST.LOCAL
>
> Valid starting     Expires            Service principal
> 06/28/13 14:55:11  06/29/13 00:55:11  krbtgt/OVTEST.LOCAL@OVTEST.LOCAL
> renew until 07/05/13 14:55:08
>
> Users' mgmt can be done from windows with Samba AD management tools
> see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows
>
> I managed from linux
> see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool
>
> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add OVIRTADM
> New Password:
> Retype Password:
> User 'OVIRTADM' created successfully
>
> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid
> OVIRTADM
> S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1)
>
> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid
> S-1-5-21-4186344073-955232896-1764362378-1104
> 3000016
>
> I missed givenName and sn in user creation....
> Unfortunately there is a only proposed patch for an "edit" subcommand
> but is not inside yet.
>
> http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html
>
> See also:
> https://wiki.samba.org/index.php/Samba4/LDBIntro
>
> To modify users' attributes I used this:
> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H
> /usr/local/samba/private/idmap.ldb
> objectsid=S-1-5-21-4186344073-955232896-1764362378-1104
>
> here you enter into a vi session....
>
> # editing 1 records
> # record 1
> dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104
> cn: S-1-5-21-4186344073-955232896-1764362378-1104
> objectClass: sidMap
> objectSid: S-1-5-21-4186344073-955232896-1764362378-1104
> type: ID_TYPE_BOTH
> xidNumber: 3000016
> givenName: oVirt <---- added
> sn: Admin <---- added
> distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104
>
>
> [root@c6dc ntp-4.2.6p5]# kinit ovirtadm@OVTEST.LOCAL
> Password for ovirtadm@OVTEST.LOCAL:
> Warning: Your password will expire in 41 days on Fri Aug  9 15:05:45 2013
>
> [root@c6dc ntp-4.2.6p5]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ovirtadm@OVTEST.LOCAL
>
> Valid starting     Expires            Service principal
> 06/28/13 15:12:30  06/29/13 01:12:30  krbtgt/OVTEST.LOCAL@OVTEST.LOCAL
> renew until 07/05/13 15:12:27
>
>
> Without putting samba4 ip in resolv.conf of engine I got this error
>
> [root@f18engine ~]# engine-manage-domains -action=add
> -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'
> -interactive
> No LDAP servers can be obtained for domain ovtest.local
>
> Now
> [root@f18engine ~]# engine-manage-domains -action=add
> -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm'
> -interactive
> Enter password:
>
> The domain ovtest.local has been added to the engine as an
> authentication source but no users from that domain have been granted
> permissions within the oVirt Manager.
> Users from this domain can be granted permissions from the Web
> administration interface.
> oVirt Engine restart is required in order for the changes to take
> place (service ovirt-engine restart).
> Manage Domains completed successfully
>
> restart engine with
>
> systemctl restart ovirt-engine
>
> Then I added the user to ovirt in webadmin gui:
>
> Configure --> System Permissions --> Add
> Selected ovirtadm and its domain ovtest.local and give him SuperUser role
>
> Tried to successfully connect to Webadmin Gui and create one VM as a test
>
> HIH others.
>
> I'm going to see if this works with VMware too....
>
> Gianluca
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to