Skip navigation
VMware
Up to Discussions in VMware ESX™ 4

This Question is Answered (go to answer)

2 "helpful" answers available (6 pts)
3,946 Views 22 Replies Last post: Nov 16, 2010 6:45 AM by Ultramar RSS
1 2 Previous Next
kseniuk1 Novice
kseniuk1
5 posts since
Sep 1, 2010
Currently Being Moderated

Sep 23, 2010 1:26 PM

ESX4.1 SSH access for Active Directory User.

 

I upgraded one of my test servers from 4.0 update 2 to ESX 4.1. I am trying to figure out how to configure SSH access for my Active Directory account. I have joined the host to active directory and granted my AD acount administrator permissions on the host. If I try and ssh to the host with my AD account I am getting access denied. I can connect via the vSphere Client with my AD account successfully. SSH works with a local account on the ESX4.1 server. I tried both with just my username at the SSH login as well as domain\username. Using domain\username actually hangs the host and I have to do a hard reset to get it back.

 

 

Anyone get this to work?

 

 

With 4.0 update 2 I used esxcfg-auth --enablead and then created a user with no password on the host. That command no longer exists on 4.1 though.

 

 

chadwickking Expert
chadwickking
436 posts since
May 3, 2010
Currently Being Moderated
1. Sep 23, 2010 6:48 PM in response to: kseniuk1
Re: ESX4.1 SSH access for Active Directory User.

Maybe this will help:

 

http://www.virtualizetips.com/2010/07/configure-vmware-esxi-4-1-for-active-directory-integration/

 

 

and this was interesting as well:

http://www.vladan.fr/ad-integration-for-esxi-4-1/

 

It helped me.

 






Cheers,

Chad King

VCP-410 | Server+

 

Twitter: http://twitter.com/cwjking

 

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
kseniuk1 Novice
kseniuk1
5 posts since
Sep 1, 2010
Currently Being Moderated
2. Sep 23, 2010 7:06 PM in response to: chadwickking
Re: ESX4.1 SSH access for Active Directory User.

 

Didn't work. The link deals specifically with ESXi and this is ESX but I thought that username@domain.com might work. As soon as I try and SSH to the service console as that user I get disconnected and then a Host Conenction State Alarm is generated.

 

 

 

 

 

On the console of the host I see

 

 

0:05:43:52.448 cpu2:4098)Heartbeat : 575 PCPU 0 didn't have a heartbeat for 60 seconds. may be locked up.

 

 

Does this on both of the ESX 4.1 test hosts I have running.

 

 

chadwickking Expert
chadwickking
436 posts since
May 3, 2010
Currently Being Moderated
3. Sep 23, 2010 7:50 PM in response to: kseniuk1
Re: ESX4.1 SSH access for Active Directory User.

You also have to create an esx admins group did you do that as well? This one is for ESX.

http://ict-freak.nl/2010/09/12/how-to-configure-vsphere-4-1-active-directory-authentication/

 

I am curious about the error though I will do more research for you on that.

 

Found some interesting Hits here as well... when doing upgrades particular.

 

http://communities.vmware.com/thread/275973?start=15&tstart=0






Cheers,

Chad King

VCP-410 | Server+

 

Twitter: http://twitter.com/cwjking

 

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
kseniuk1 Novice
kseniuk1
5 posts since
Sep 1, 2010
Currently Being Moderated
4. Sep 24, 2010 7:13 AM in response to: chadwickking
Re: ESX4.1 SSH access for Active Directory User.

 

Thanks Chad. I created the ESX Admins account and it automatically appeared on the hosts with administrator rights. I tried to connect again and got the same CPU locked message. I have opened up a ticket with vmware to see what they say.

 

 

 

 

 

chadwickking Expert
chadwickking
436 posts since
May 3, 2010
Currently Being Moderated
5. Sep 24, 2010 9:22 AM in response to: kseniuk1
Re: ESX4.1 SSH access for Active Directory User.

Well at least the AD part is taken care of the CPU lock problem is very unusual - please keep me posted as i would like to know as well.

 

--

Cheers,

Chadwick J. King

VCP - 410 | Comptia Server+

 

 

Twitter:@cwjking

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
chadwickking Expert
chadwickking
436 posts since
May 3, 2010
Currently Being Moderated
6. Sep 24, 2010 10:59 PM in response to: chadwickking
Re: ESX4.1 SSH access for Active Directory User.

Any word back from vmware?

 

 

 

 

Cheers,

Chad King

VCP-410 | Server+

 

Twitter: http://twitter.com/cwjking

 

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
timmp Enthusiast
timmp
30 posts since
May 2, 2006
Currently Being Moderated
7. Sep 27, 2010 7:49 AM in response to: kseniuk1
Re: ESX4.1 SSH access for Active Directory User.

I do have an update here for people interested.  I found it frustrating that moving from vSphere 4.0 to 4.1 disabled ssh AD kerberos access unless you used the "AD Authentication" setup via the VI Client.  I ran into the identical issue with PCPU 0 errors and the server actually rebooting itself when trying to ssh using my AD Account.  The issue is that if you are part of >30 security groups (in my case it was only 23), the server would lock up and sometimes even reboot.  I validated with another AD account that was only a member of just 3 sec groups and it was able to login without locking up ESX or causing a reboot. 

 

Additionally, in my lab where I run VCenter 4.1 and both nodes are now 4.1, I use the "AD Authentication" and it works fine with users only part of a limited number of SEC groups in AD.

 

VMWare said this issue has been escalated to engineering.

 

FYI, this affects ESX and ESXi.

kseniuk1 Novice
kseniuk1
5 posts since
Sep 1, 2010
Currently Being Moderated
8. Sep 27, 2010 8:02 AM in response to: timmp
Re: ESX4.1 SSH access for Active Directory User.

Interesting. Thanks for the info. I am going to have to check and see how many groups I am a member of. I have not been able to speak with the engineer assigned to my ticket yet.

kseniuk1 Novice
kseniuk1
5 posts since
Sep 1, 2010
Currently Being Moderated
9. Sep 28, 2010 1:08 PM in response to: timmp
Re: ESX4.1 SSH access for Active Directory User.

 

I have confirmed that this is indeed my issue. I created a test user and was able to replicate the problem after adding that user to too many AD groups.

 

 

The engineer from VMware also was able to confirm that this is currently an issue that is on their list of bugs to fix.

 

 

 

 

 

Kevin

 

 

BenConrad Master
BenConrad
710 posts since
Mar 20, 2006
Currently Being Moderated
10. Sep 28, 2010 2:43 PM in response to: timmp
Re: ESX4.1 SSH access for Active Directory User.

I was able to repeat this as well.  I'm in 34 groups, when I log in using username@domain the 4.1 host crashes and reboots itself.  That is beyond scary.

 

NOTE:  I'm running ESX 4.1 inside of ESX in order to rapidly test my Kickstart scripts.

 

 

PSOD attached:

 

PS:  In order to bypass the Likewise AD authentication you can use the following:

 

esxcfg-auth --enablekrb5 --krb5realm=your.domain --krb5kdc=your.domain --krb5adminserver=your.domain

 

esxcfg-auth --enablead is deprecated, no longer works.

Attachments:
Xeonel Enthusiast
Xeonel
34 posts since
Aug 11, 2009
Currently Being Moderated
11. Sep 29, 2010 12:19 AM in response to: timmp
Re: ESX4.1 SSH access for Active Directory User.

I'm seeing the exact issue on my environment. Luckly I've noticed it before upgrading the whole cluster, so now I've got one host in maintenance mode until this is sorted out. I've just opened a support request with VMware.

 

After reading your post, I've verified in AD and I'm indeed part of 30+ groups. Maybe it also counts the nested groups and that's why it happened to you as well.

 

 

 

I also managed to catch the PSOD, so if someone's interested, I've attached it here.

Attachments:
jkntgraham Lurker
jkntgraham
2 posts since
Dec 5, 2008
Currently Being Moderated
12. Sep 30, 2010 11:58 AM in response to: Xeonel
Re: ESX4.1 SSH access for Active Directory User.

I had the exact same issue today and I am only a member of 10 groups. I hope VMware fixes this very soon or I wished I would have read this post before 9:30 this morning when my host rebooted and kicked HA into action. HA takes to long in my estimation to go into effect, mine took 10 minutes or so before the VMs started back up.

Ultramar Novice
Ultramar
6 posts since
Apr 14, 2008
Currently Being Moderated
13. Oct 5, 2010 7:31 AM in response to: jkntgraham
Re: ESX4.1 SSH access for Active Directory User.

 

I'm experiencing the same problem.

 

 

Anyone got news regarding a fix for this issue?

 

 

jkntgraham Lurker
jkntgraham
2 posts since
Dec 5, 2008
Currently Being Moderated
14. Oct 5, 2010 8:38 AM in response to: Ultramar
Re: ESX4.1 SSH access for Active Directory User.

I opened a case up with VMware and they are aware and said this:

 

The approximate ETA is end of October. It's not a hard ETA as QA testing can push it further out, but I would expect to see it in a month's time.

 

The patch number is ESX410-201010001

 

Josh

Go to original post 1 2 Previous Next

Bookmarked By (0)

Share This Page

Communities