Excellent, Gianluca, thanks for sharing the information! --Charlie
On Fri, Jun 28, 2013 at 10:19 AM, Gianluca Cecchi <[email protected] > wrote: > Hello, > in the past there were some threads related to this subject. > Today I successfully connected my oVirt 3.2.2 (installed on f18 with > ovirt-repo) to a CentOS 6 samba4 server. > > Basically I followed this nice page for CentOS 6 with the difference > that I downloaded and compiled 4.0.6 version of Samba instead of > 4.0.0: > > http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ > > One important thing is that I had to put samba4 server ip in > resolv.conf as the first for my engine. > But in my case this was not a problem because samba4 is then > configured with the original corporate dns as forwarder, so all is ok > for me > > Some commands' output > > [root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain > provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX' > --server-role=dc --dns-backend=BIND9_DLZ > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Adding DomainDN: DC=ovtest,DC=local > Adding configuration container > Setting up sam.ldb schema > Setting up sam.ldb configuration data > Setting up display specifiers > Modifying display specifiers > Adding users container > Modifying users container > Adding computers container > Modifying computers container > Setting up sam.ldb data > Setting up well known security principals > Setting up sam.ldb users and groups > Setting up self join > Adding DNS accounts > Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local > Creating DomainDnsZones and ForestDnsZones partitions > Populating DomainDnsZones and ForestDnsZones partitions > See /usr/local/samba/private/named.conf for an example configuration > include file for BIND > and /usr/local/samba/private/named.txt for further documentation > required for secure DNS updates > Setting up sam.ldb rootDSE marking as synchronized > Fixing provision GUIDs > A Kerberos configuration suitable for Samba 4 has been generated at > /usr/local/samba/private/krb5.conf > Once the above files are installed, your Samba4 server will be ready to use > Server Role: active directory domain controller > Hostname: c6dc > NetBIOS Domain: OVTEST > DNS Domain: ovtest.local > DOMAIN SID: S-1-5-21-4186344073-955232896-1764362378 > > > [root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom > wrote key file "/etc/rndc.key" > > > - tests > (see also > http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller > ) > > [root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U% > Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba 4.0.6) > Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > > [root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local. > _ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local. > > [root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local. > _kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local. > > > [root@c6dc ntp-4.2.6p5]# kinit [email protected] > Password for [email protected]: > Warning: Your password will expire in 41 days on Fri Aug 9 13:30:59 2013 > > [root@c6dc ntp-4.2.6p5]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 06/28/13 14:55:11 06/29/13 00:55:11 krbtgt/[email protected] > renew until 07/05/13 14:55:08 > > Users' mgmt can be done from windows with Samba AD management tools > see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows > > I managed from linux > see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool > > [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add OVIRTADM > New Password: > Retype Password: > User 'OVIRTADM' created successfully > > [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid > OVIRTADM > S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1) > > [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid > S-1-5-21-4186344073-955232896-1764362378-1104 > 3000016 > > I missed givenName and sn in user creation.... > Unfortunately there is a only proposed patch for an "edit" subcommand > but is not inside yet. > > http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html > > See also: > https://wiki.samba.org/index.php/Samba4/LDBIntro > > To modify users' attributes I used this: > [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H > /usr/local/samba/private/idmap.ldb > objectsid=S-1-5-21-4186344073-955232896-1764362378-1104 > > here you enter into a vi session.... > > # editing 1 records > # record 1 > dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104 > cn: S-1-5-21-4186344073-955232896-1764362378-1104 > objectClass: sidMap > objectSid: S-1-5-21-4186344073-955232896-1764362378-1104 > type: ID_TYPE_BOTH > xidNumber: 3000016 > givenName: oVirt <---- added > sn: Admin <---- added > distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104 > > > [root@c6dc ntp-4.2.6p5]# kinit [email protected] > Password for [email protected]: > Warning: Your password will expire in 41 days on Fri Aug 9 15:05:45 2013 > > [root@c6dc ntp-4.2.6p5]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 06/28/13 15:12:30 06/29/13 01:12:30 krbtgt/[email protected] > renew until 07/05/13 15:12:27 > > > Without putting samba4 ip in resolv.conf of engine I got this error > > [root@f18engine ~]# engine-manage-domains -action=add > -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm' > -interactive > No LDAP servers can be obtained for domain ovtest.local > > Now > [root@f18engine ~]# engine-manage-domains -action=add > -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm' > -interactive > Enter password: > > The domain ovtest.local has been added to the engine as an > authentication source but no users from that domain have been granted > permissions within the oVirt Manager. > Users from this domain can be granted permissions from the Web > administration interface. > oVirt Engine restart is required in order for the changes to take > place (service ovirt-engine restart). > Manage Domains completed successfully > > restart engine with > > systemctl restart ovirt-engine > > Then I added the user to ovirt in webadmin gui: > > Configure --> System Permissions --> Add > Selected ovirtadm and its domain ovtest.local and give him SuperUser role > > Tried to successfully connect to Webadmin Gui and create one VM as a test > > HIH others. > > I'm going to see if this works with VMware too.... > > Gianluca > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
