Open Stack

Hi Thiago,

Like for the Windows case, where we have Heat templates for AD DC and other MSFT related workloads (Exchange, SQL Server, SharePoint, etc) [1], the best place in OpenStack for Samba 4 DC is a dedicated Heat template.

Heat is the de facto workload orchestration standard for OpenStack, so I'd definitely start from there.

Said that, Keystone has AD support via LDAP. It'd be great to see some documentation for using a Samba 4 DC in place of a Windows DC.

Another area of interaction for Samba 4 is Cinder: we have code under review for exporting volumes over SMB, useful for Hyper-V compute nodes and other scenarios. [2]

Talking about Nova, in large deployments using Hyper-V compute nodes it's common to manage credentials with domain membership, quite useful for live migration in particular. I'd like to document the usage of a Samba 4 AD DC in this context, although the last time I tried I had issues with Kerberos delegation, required for live migration. Quite some time passed, so it's definitely worth giving it another try.

Slightly outside of the OpenStack territory (but still correlated to it) I'd consider also Ubuntu Juju for the fact that it's possible to create relationships based on a Samba 4 DC charm and any other charm that needs domain membership. We have charms for Windows AD, it'd be great to add a Samba 4 as an alternative.

Thanks,

Alessandro

[1] https://github.com/cloudbase/windows-heat-templates

[2] https://blueprints.launchpad.net/cinder/+spec/smbfs-volume-driver

On 16.08.2014, at 22:12, "Martinx - ジェームズ" <thiagocmartinsc at gmail.com<mailto:thiagocmartinsc at gmail.com>> wrote:

Hey Stackers,

 I'm wondering here... Samba4 is pretty solid (up coming 4.2 rocks), I'm using it on a daily basis as an AD DC controller, for both Windows and Linux Instances! With replication, file system ACLs - cifs, built-in LDAP, dynamic DNS with Bind9 as a backend (no netbios) and etc... Pretty cool!

 In OpenStack ecosystem, there are awesome solutions like Trove, Solum, Designate and etc... Amazing times BTW! So, why not try to integrate Samba4, working as an AD DC, within OpenStack itself?!

 If yes, then, what is the best way/approach to achieve this?!

 I mean, for SQL, we have Trove, for iSCSI, Cinder, Nova uses Libvirt... Don't you guys think that it is time to have an OpenStack project for LDAP too? And since Samba4 come with it, plus DNS, AD, Kerberos and etc, I think that it will be huge if we manage to integrate it with OpenStack.

 I think that it would be nice to have, for example: domains, users and groups management at Horizon, and each tenant with its own "Administrator" (not the Keystone "global" admin) (to mange its Samba4 domains), so, they will be able to fully manage its own account, while allowing Keystone to authenticate against these users...

 Also, maybe Designate can have support for it too! I don't know for sure...

 Today, I'm doing this "Samba integration" manually, I have an "external" Samba4, from OpenStack's point of view, then, each tenant/project, have its own DNS domains, when a instance boots up, I just need to do something like this (bootstrap):

--
echo "127.0.1.1 instance-1.tenant-1.domain-1.com<http://instance-1.tenant-1.domain-1.com> instance-1" >> /etc/hosts
net ads join -U administrator
--

 To make this work, the instance just needs to use Samba4 AD DC as its Name Servers, configured at its /etc/resolv.conf, "delivered by DHCP Agent". The packages `samba-common-bin` and `krb5-user` are also required. Including a ready to use smb.conf file.

 Then, "ping instance-1.tenant-1.domain-1.com<http://instance-1.tenant-1.domain-1.com>" worldwide! It works for both IPv4 and IPv6!!

 Also, Samba4 works okay with Disjoint Namespaces<http://technet.microsoft.com/en-us/library/cc731929(v=ws.10).aspx>, so, each tenant can have one or more domains and subdomains! Like "*.realm.domain.com<http://realm.domain.com>, *.domain.com<http://domain.com>, *.cloud-net-1.domain.com<http://cloud-net-1.domain.com>, *.domain2.com<http://domain2.com>... All dynamic managed by Samba4 and Bind9!

 What about that?!

Cheers!
Thiago
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140818/45d1264d/attachment.html>