VMware Communities: Message List - VIClient cannot access ESX 3.0.2 box using AD credenitals.

Re: VIClient cannot access ESX 3.0.2 box using AD credenitals.

sbeaver — Tue, 28 Aug 2007 20:47:21 GMT

The file in question is the authorization.xml which has the users that the VIclient will use to connect. This list of users is different then the ones used for ssh

Re: VIClient cannot access ESX 3.0.2 box using AD credenitals.

hicksj — Tue, 28 Aug 2007 20:07:28 GMT

Super!

Good to know. Thanks.

Re: VIClient cannot access ESX 3.0.2 box using AD credenitals.

TheBigQ — Tue, 28 Aug 2007 20:06:48 GMT

As per my previous post - I can add my AD user in VIClient as an admin under the permissions tab and then it works.

Re: VIClient cannot access ESX 3.0.2 box using AD credenitals.

TheBigQ — Tue, 28 Aug 2007 20:05:48 GMT

Ok, got it! Using this link:

http://blog.baeke.info/blog/_archives/2006/10/13/2414173.html

If I go into the "permissions" tab in the VIClient, add my AD account as an administrator then it works.

Thanks for the amazingly quick responses though.

Re: VIClient cannot access ESX 3.0.2 box using AD credenitals.

hicksj — Tue, 28 Aug 2007 20:00:46 GMT

Check out the posting here:

http://www.vmware.com/community/thread.jspa?messageID=635376&#635376

This provides pam changes that appear to work. Note: I've not tested them, so cannot verify whether it works or possibly compromises security.

Message was edited by:
hicksj
Followup note: Those are legacy settings, similar to what I did in ESX 2.5. They may work, but there is probably a better way.

Re: VIClient cannot access ESX 3.0.2 box using AD credenitals.

TheBigQ — Tue, 28 Aug 2007 19:54:54 GMT

Ah, you are right. I had used "useradd" to add the user - whilst the VIClient still doesn't work, SSH access does.

I'll take a look at that file now.

Re: VIClient cannot access ESX 3.0.2 box using AD credenitals.

hicksj — Tue, 28 Aug 2007 19:52:07 GMT

That will setup access for SSH sessions, but doesn't authorize the user to access the host via the VIC.

I used to have this setup so I could access the MUI in ESX2.5 using AD credentials. The pam setup in ESX3 is different, and I've not had reason to provide this capability in ESX3, so haven't investigated further. There's probably a small change that needs to be applied to /etc/pam.d/vmware-authd

Re: VIClient cannot access ESX 3.0.2 box using AD credenitals.

cemetric — Tue, 28 Aug 2007 19:49:53 GMT

You need to create a corresponding user with useradd apparently ...

Quote resource:

For every user that you want to enable access through authentication to
Active Directory, you must also create a corresponding user on the ESX Server system using the useradd command.

/Quote

That to me sounds like you need to create the user locally on ESX and on AD.

Haven't played with it yet though ...

C.

VIClient cannot access ESX 3.0.2 box using AD credenitals.

TheBigQ — Tue, 28 Aug 2007 19:39:38 GMT

Hey all,

Using this guide:

http://www.vmware.com/vmtn/resources/582

I've got my ESX box to auth users against AD. The problem is, when I try to logon with the VI Client I get "Error Connecting - Permission to perform this operation was denied.". If I enter the wrong password, it says "login failed due to a bad username or password." so it seems able to work out who I am.

If I pick a user who I've not run "useradd" for I just got the "login failed" message again.

In the server messages I get:

Aug 28 15:37:48 server vmware-authd(pam_unix)[1842]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=myaccount
Aug 28 15:37:49 server vmware-hostd[1842]: pam_krb5: authentication succeeds for `myaccount
Aug 28 15:37:49 server vmware-hostd[1842]: Accepted password for user myaccount from 1.2.3.4

Any ideas what else I need to do? NTP is running so the time is sync'd.

I tried adding the user account to the root group, but it still didn't work. I've seen other posts talk about adding it to the administrators/manager group but I know how as they don't seem to exist. Am I missing something?

Thanks!