http://communities.vmware.com/community/vmtn/vi/esx3.5?view=discussions Most recent forum messages en Tue, 12 May 2009 18:00:43 GMT Clearspace 1.10.12 (http://jivesoftware.com/products/clearspace/) 2009-05-12T18:00:43Z en http://communities.vmware.com/message/1249863?tstart=0#1249863 Thanks a lot for your answer <img src="!" alt="!" class="jive-image" /><br /> <br /> This explains a lot. I've inherited the --enablekrb5 command, and could not explain what this could add to the --enablead command.<br /> It only gave us errors and account lockouts.<br /> <br /> Now I can explain why to let it out.<br /> <br /> Thanks and kind regards,<br /> <br /> Harold Tue, 12 May 2009 18:00:43 GMT hharold http://communities.vmware.com/message/1249863?tstart=0#1249863 2009-05-12T18:00:43Z 6 months, 2 weeks ago http://communities.vmware.com/message/1249854?tstart=0#1249854 enablekrb5 is not required. The enablead will setup your kerberos configuration to talk to ad. the krb5 option is to be used when you're using a KDC that is not active directory. Also, when you create an account on the ESX side, it is pretty much an account with no password. At least no password from the UNIX shadow file perspective. The authentication works by checking the local files for the username (since ad is not being used for the user db, only authentication), then checking the password against local files, which have no password, so failure there, and then continuing to ad through kerberos, for a successful check. If you are trying to create an account with a password on the ESX system, then that is the problem. You don't need to set that, in fact, that needs to be no password, so without ad, the user can not effectively log into the system through ssh or console.<br /> <p /> <p /> -KjB<br /> VMware vExpert Tue, 12 May 2009 17:46:28 GMT kjb007 http://communities.vmware.com/message/1249854?tstart=0#1249854 2009-05-12T17:46:28Z 6 months, 2 weeks ago 1 http://communities.vmware.com/message/1249248?tstart=0#1249248 Hi all,<br /> <p /> We are setting up AD integration for SSH accounts on ESX 3.5 U3.<br /> <br /> <b>esxcfg-auth --enablead</b> works just fine: <br /> <i>esxcfg-auth --enablead --addomain=our.domain.com --addc=our.domain.com</i><br /> <br /> For some reason there was already an extra line in the configuration script: <b>esxcfg-auth --enablekrb5</b><br /> <i>esxcfg-auth --enablekrb5 --krb5realm=our.domain.com --krb5kdc=our.domain.com --krb5adminserver=our.domain.com</i><br /> <br /> As soon as this last command is entered things go wrong.<br /> When adding a local account with this powershell command, we get this error:<br /> <br /> <i>New-VMHostAccount : 5/12/2009 10:17:11 AM New-VMHostAccount 52976ebb-2d24</i><br /> <i>-f493-9aa3-bca7894ef581 A general system error occurred: passwd: Authenticat</i><br /> <i>ion token manipulation error</i><br /> <br /> The local account is actually created, but the Active Directory equivalent gets locked out, after several of these events:<br /> <br /> <i>Pre-authentication failed</i><br /> <i>User Name: TEST-USER</i><br /> <i>User ID: DOMAIN\TEST-USER</i><br /> <i>Service Name: kadmin/changepw</i><br /> <i>Pre-Authentication Type: 0x0</i><br /> <i>Failure Code: 0x19</i><br /> <i>Client Address: 10.10.120.16</i><br /> <p /> Now I have two questions for you:<br /> 1. Does any one how to solve the lock-out problem<br /> 2. Is <b>--enablekrb5</b> necessary? What does it gives me extra besides the <b>--enablead</b><br /> <p /> Thanks for your help!<br /> <br /> Regards,<br /> <br /> Harold Tue, 12 May 2009 08:45:57 GMT hharold http://communities.vmware.com/message/1249248?tstart=0#1249248 2009-05-12T08:45:57Z 6 months, 2 weeks ago 2