VMware

This Question is Answered

2 "helpful" answers available (6 pts)
2 Replies Last post: May 12, 2009 11:00 AM by hharold  

ESX - Active Directory Integration: Kerberos? posted: May 12, 2009 1:45 AM

Click to view hharold's profile Hot Shot
hharold
149 posts since
Oct 18, 2004
Hi all,

We are setting up AD integration for SSH accounts on ESX 3.5 U3.

esxcfg-auth --enablead works just fine:
esxcfg-auth --enablead --addomain=our.domain.com --addc=our.domain.com

For some reason there was already an extra line in the configuration script: esxcfg-auth --enablekrb5
esxcfg-auth --enablekrb5 --krb5realm=our.domain.com --krb5kdc=our.domain.com --krb5adminserver=our.domain.com

As soon as this last command is entered things go wrong.
When adding a local account with this powershell command, we get this error:

New-VMHostAccount : 5/12/2009 10:17:11 AM New-VMHostAccount 52976ebb-2d24
-f493-9aa3-bca7894ef581 A general system error occurred: passwd: Authenticat
ion token manipulation error

The local account is actually created, but the Active Directory equivalent gets locked out, after several of these events:

Pre-authentication failed
User Name: TEST-USER
User ID: DOMAIN\TEST-USER
Service Name: kadmin/changepw
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.10.120.16

Now I have two questions for you:
1. Does any one how to solve the lock-out problem
2. Is --enablekrb5 necessary? What does it gives me extra besides the --enablead

Thanks for your help!

Regards,

Harold

Re: ESX - Active Directory Integration: Kerberos?

1. May 12, 2009 10:46 AM in response to: hharold
Click to view kjb007's profile Guru
kjb007
5,486 posts since
Sep 18, 2006
enablekrb5 is not required. The enablead will setup your kerberos configuration to talk to ad. the krb5 option is to be used when you're using a KDC that is not active directory. Also, when you create an account on the ESX side, it is pretty much an account with no password. At least no password from the UNIX shadow file perspective. The authentication works by checking the local files for the username (since ad is not being used for the user db, only authentication), then checking the password against local files, which have no password, so failure there, and then continuing to ad through kerberos, for a successful check. If you are trying to create an account with a password on the ESX system, then that is the problem. You don't need to set that, in fact, that needs to be no password, so without ad, the user can not effectively log into the system through ssh or console.

-KjB
VMware vExpert

Re: ESX - Active Directory Integration: Kerberos?

2. May 12, 2009 11:00 AM in response to: kjb007
Click to view hharold's profile Hot Shot
hharold
149 posts since
Oct 18, 2004
Thanks a lot for your answer !

This explains a lot. I've inherited the --enablekrb5 command, and could not explain what this could add to the --enablead command.
It only gave us errors and account lockouts.

Now I can explain why to let it out.

Thanks and kind regards,

Harold

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities