Hello everybody, Thanks Gianluca for share your experience. I have now installed and configured a Samba 4.0.6 over Debian 7 Stable distro and I'm in the step of importing all my users from my production OpenLDAP + Samba 3 server to this new server which it's now working. After that I want join it to my oVirt engine. I will share too my experience when I have the system all working.
Thanks again, Juanjo. On Fri, Jun 28, 2013 at 4:44 PM, Charlie <[email protected]> wrote: > Excellent, Gianluca, thanks for sharing the information! > --Charlie > > > On Fri, Jun 28, 2013 at 10:19 AM, Gianluca Cecchi < > [email protected]> wrote: > >> Hello, >> in the past there were some threads related to this subject. >> Today I successfully connected my oVirt 3.2.2 (installed on f18 with >> ovirt-repo) to a CentOS 6 samba4 server. >> >> Basically I followed this nice page for CentOS 6 with the difference >> that I downloaded and compiled 4.0.6 version of Samba instead of >> 4.0.0: >> >> http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ >> >> One important thing is that I had to put samba4 server ip in >> resolv.conf as the first for my engine. >> But in my case this was not a problem because samba4 is then >> configured with the original corporate dns as forwarder, so all is ok >> for me >> >> Some commands' output >> >> [root@c6dc samba-4.0.6]# /usr/local/samba/bin/samba-tool domain >> provision --realm=ovtest.local --domain=OVTEST --adminpass 'XXXXXXXXX' >> --server-role=dc --dns-backend=BIND9_DLZ >> Looking up IPv4 addresses >> Looking up IPv6 addresses >> No IPv6 address will be assigned >> Setting up secrets.ldb >> Setting up the registry >> Setting up the privileges database >> Setting up idmap db >> Setting up SAM db >> Setting up sam.ldb partitions and settings >> Setting up sam.ldb rootDSE >> Pre-loading the Samba 4 and AD schema >> Adding DomainDN: DC=ovtest,DC=local >> Adding configuration container >> Setting up sam.ldb schema >> Setting up sam.ldb configuration data >> Setting up display specifiers >> Modifying display specifiers >> Adding users container >> Modifying users container >> Adding computers container >> Modifying computers container >> Setting up sam.ldb data >> Setting up well known security principals >> Setting up sam.ldb users and groups >> Setting up self join >> Adding DNS accounts >> Creating CN=MicrosoftDNS,CN=System,DC=ovtest,DC=local >> Creating DomainDnsZones and ForestDnsZones partitions >> Populating DomainDnsZones and ForestDnsZones partitions >> See /usr/local/samba/private/named.conf for an example configuration >> include file for BIND >> and /usr/local/samba/private/named.txt for further documentation >> required for secure DNS updates >> Setting up sam.ldb rootDSE marking as synchronized >> Fixing provision GUIDs >> A Kerberos configuration suitable for Samba 4 has been generated at >> /usr/local/samba/private/krb5.conf >> Once the above files are installed, your Samba4 server will be ready to >> use >> Server Role: active directory domain controller >> Hostname: c6dc >> NetBIOS Domain: OVTEST >> DNS Domain: ovtest.local >> DOMAIN SID: S-1-5-21-4186344073-955232896-1764362378 >> >> >> [root@c6dc samba-4.0.6]# rndc-confgen -a -r /dev/urandom >> wrote key file "/etc/rndc.key" >> >> >> - tests >> (see also >> http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller >> ) >> >> [root@c6dc ]# /usr/local/samba/bin/smbclient -L localhost -U% >> Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6] >> >> Sharename Type Comment >> --------- ---- ------- >> netlogon Disk >> sysvol Disk >> IPC$ IPC IPC Service (Samba 4.0.6) >> Domain=[OVTEST] OS=[Unix] Server=[Samba 4.0.6] >> >> Server Comment >> --------- ------- >> >> Workgroup Master >> --------- ------- >> >> [root@c6dc ntp-4.2.6p5]# host -t SRV _ldap._tcp.ovtest.local. >> _ldap._tcp.ovtest.local has SRV record 0 100 389 c6dc.ovtest.local. >> >> [root@c6dc ntp-4.2.6p5]# host -t SRV _kerberos._udp.ovtest.local. >> _kerberos._udp.ovtest.local has SRV record 0 100 88 c6dc.ovtest.local. >> >> >> [root@c6dc ntp-4.2.6p5]# kinit [email protected] >> Password for [email protected]: >> Warning: Your password will expire in 41 days on Fri Aug 9 13:30:59 2013 >> >> [root@c6dc ntp-4.2.6p5]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 06/28/13 14:55:11 06/29/13 00:55:11 krbtgt/[email protected] >> renew until 07/05/13 14:55:08 >> >> Users' mgmt can be done from windows with Samba AD management tools >> see: http://wiki.samba.org/index.php/Samba_AD_management_from_windows >> >> I managed from linux >> see: http://wiki.samba.org/index.php/Adding_users_with_samba_tool >> >> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/samba-tool user add >> OVIRTADM >> New Password: >> Retype Password: >> User 'OVIRTADM' created successfully >> >> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --name-to-sid >> OVIRTADM >> S-1-5-21-4186344073-955232896-1764362378-1104 SID_USER (1) >> >> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/wbinfo --sid-to-uid >> S-1-5-21-4186344073-955232896-1764362378-1104 >> 3000016 >> >> I missed givenName and sn in user creation.... >> Unfortunately there is a only proposed patch for an "edit" subcommand >> but is not inside yet. >> >> http://samba.2283325.n4.nabble.com/Patch-for-samba-tool-user-modify-subcommand-td4634884.html >> >> See also: >> https://wiki.samba.org/index.php/Samba4/LDBIntro >> >> To modify users' attributes I used this: >> [root@c6dc ntp-4.2.6p5]# /usr/local/samba/bin/ldbedit -e vi -H >> /usr/local/samba/private/idmap.ldb >> objectsid=S-1-5-21-4186344073-955232896-1764362378-1104 >> >> here you enter into a vi session.... >> >> # editing 1 records >> # record 1 >> dn: CN=S-1-5-21-4186344073-955232896-1764362378-1104 >> cn: S-1-5-21-4186344073-955232896-1764362378-1104 >> objectClass: sidMap >> objectSid: S-1-5-21-4186344073-955232896-1764362378-1104 >> type: ID_TYPE_BOTH >> xidNumber: 3000016 >> givenName: oVirt <---- added >> sn: Admin <---- added >> distinguishedName: CN=S-1-5-21-4186344073-955232896-1764362378-1104 >> >> >> [root@c6dc ntp-4.2.6p5]# kinit [email protected] >> Password for [email protected]: >> Warning: Your password will expire in 41 days on Fri Aug 9 15:05:45 2013 >> >> [root@c6dc ntp-4.2.6p5]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 06/28/13 15:12:30 06/29/13 01:12:30 krbtgt/[email protected] >> renew until 07/05/13 15:12:27 >> >> >> Without putting samba4 ip in resolv.conf of engine I got this error >> >> [root@f18engine ~]# engine-manage-domains -action=add >> -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm' >> -interactive >> No LDAP servers can be obtained for domain ovtest.local >> >> Now >> [root@f18engine ~]# engine-manage-domains -action=add >> -domain='OVTEST.LOCAL' -provider=ActiveDirectory -user='ovirtadm' >> -interactive >> Enter password: >> >> The domain ovtest.local has been added to the engine as an >> authentication source but no users from that domain have been granted >> permissions within the oVirt Manager. >> Users from this domain can be granted permissions from the Web >> administration interface. >> oVirt Engine restart is required in order for the changes to take >> place (service ovirt-engine restart). >> Manage Domains completed successfully >> >> restart engine with >> >> systemctl restart ovirt-engine >> >> Then I added the user to ovirt in webadmin gui: >> >> Configure --> System Permissions --> Add >> Selected ovirtadm and its domain ovtest.local and give him SuperUser role >> >> Tried to successfully connect to Webadmin Gui and create one VM as a test >> >> HIH others. >> >> I'm going to see if this works with VMware too.... >> >> Gianluca >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.ovirt.org/mailman/listinfo/users >> > > > _______________________________________________ > Users mailing list > [email protected] > http://lists.ovirt.org/mailman/listinfo/users > >
_______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
