Month: October 2008

HOWTO: Forwarding a USB device to a Guest VM in Xen on Fedora

This procedure works with fully virtualized VMs. I would assume it works with paravirtualized VMs as well...

Shut down and power off your VM

Unplug and re-plug your USB device to see what it appears as in dmesg, then run
    dmesg | grep ^usb

See these lines?:
    usb 3-2: USB disconnect, address 7
    usb 3-2: new low speed USB device using uhci_hcd and address 8
    usb 3-2: configuration #1 chosen from 1 choice

This indicates that it is connected to Bus 003 as Device 008. Now run this:
    lsusb

Now look a device at Bus 003 Device 008:
    Bus 003 Device 008: ID 04b9:0300 Rainbow Technologies, Inc.

Note the ID...
    04b9:0300

Open the config.sxp file for the domain, usually located at:
    "/var/lib/xend/domains//config.sxp"

Look for a section similar to this:

    (platform
        ((usb 1)
            (device_model /usr/lib64/xen/bin/qemu-dm)
            (boot c)
            (rtc_timeoffset -18008)
            (pae 1)
            (apic 1)
            (localtime 1)
            (acpi 1)
        )
    )
   
Add your USB device:

    (platform
        ((usb 1)
            (device_model /usr/lib64/xen/bin/qemu-dm)
            (boot c)
            (rtc_timeoffset -18008)
            (pae 1)
            (apic 1)
            (localtime 1)
            (acpi 1)
            (usbdevice host:04b9:0300)
        )
    )

Restart xend:
    /etc/init.d/xend restart

Start your VM

Why "root" isn't a Domain Admin on Fedora w/smbldap-tools

For about 2 years now at work, our "root" (aka, Administrator) account hasn't been showing up as being part of the "Domain Admins" group within Windows, or when running "id root" or "net rpc user info root". It used to, but for whatever unknown reason, stopped working.

The root account in our LDAP directory was, admittedly, messed up. However, it worked on our local server, who were talking with our PDC directly. It just didn't work on our remote BDC-connected systems.

Back around this time, I'm pretty sure we made a change to our enterprise-wise /etc/ldap.conf config: We added "root" to the nss_initgroups_ignoreusers list. The effect is that the local auth mechanisms only use the local files (passwd and group) for users in this list, skipping LDAP checks. Therefore root will never get the "Domain Admins" group membership in this configuration.

Now, the question is, is this normal, or am I missing something? I really don't care at this point. The workaround for me is to simply create an admin user that gets treated as THE admin account. The alternative is to remove root for the ignore list. However, I would suggest against this as it could create startup and login delays if the LDAP database doesn't start for any reason.

Hope this helped somebody. I struggled with it and searched for a solution long enough that I figure it merits a quick post.