<div dir="ltr">Hey Stackers,<div><br></div><div> I'm wondering here... Samba4 is pretty solid (up coming 4.2 rocks), I'm using it on a daily basis as an AD DC controller, for both Windows and Linux Instances! With replication, file system ACLs - cifs, built-in LDAP, dynamic DNS with Bind9 as a backend (no netbios) and etc... Pretty cool!</div>
<div><br></div><div> In OpenStack ecosystem, there are awesome solutions like Trove, Solum, Designate and etc... Amazing times BTW! So, why not try to integrate Samba4, working as an AD DC, within OpenStack itself?!</div>
<div><br></div><div> If yes, then, what is the best way/approach to achieve this?!</div><div><br></div><div> I mean, for SQL, we have Trove, for iSCSI, Cinder, Nova uses Libvirt... Don't you guys think that it is time to have an OpenStack project for LDAP too? And since Samba4 come with it, plus DNS, AD, Kerberos and etc, I think that it will be huge if we manage to integrate it with OpenStack.</div>
<div><br></div><div> I think that it would be nice to have, for example: domains, users and groups management at Horizon, and each tenant with its own "Administrator" (not the Keystone "global" admin) (to mange its Samba4 domains), so, they will be able to fully manage its own account, while allowing Keystone to authenticate against these users...</div>
<div><br></div><div> Also, maybe Designate can have support for it too! I don't know for sure...</div><div><br></div><div> Today, I'm doing this "Samba integration" manually, I have an "external" Samba4, from OpenStack's point of view, then, each tenant/project, have its own DNS domains, when a instance boots up, I just need to do something like this (bootstrap):</div>
<div><br></div><div>--</div><div>echo "127.0.1.1 <a href="http://instance-1.tenant-1.domain-1.com">instance-1.tenant-1.domain-1.com</a> instance-1" >> /etc/hosts</div><div>net ads join -U administrator</div>
<div>--</div><div><br></div><div> To make this work, the instance just needs to use Samba4 AD DC as its Name Servers, configured at its /etc/resolv.conf, "delivered by DHCP Agent". The packages `samba-common-bin` and `krb5-user` are also required. Including a ready to use smb.conf file.</div>
<div><br></div><div> Then, "ping <a href="http://instance-1.tenant-1.domain-1.com">instance-1.tenant-1.domain-1.com</a>" worldwide! It works for both IPv4 and IPv6!!</div><div><br></div><div> Also, Samba4 works okay with <a href="http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx">Disjoint Namespaces</a>, so, each tenant can have one or more domains and subdomains! Like "*.<a href="http://realm.domain.com">realm.domain.com</a>, *.<a href="http://domain.com">domain.com</a>, *.<a href="http://cloud-net-1.domain.com">cloud-net-1.domain.com</a>, *.domain2.com... All dynamic managed by Samba4 and Bind9!</div>
<div><br></div><div> What about that?!</div><div><br></div><div>Cheers!</div><div>Thiago</div></div>