VMware
1 Replies Last post: May 1, 2007 8:10 PM by DFATAnt  

Add active directory user authentication in ESX3 and it gives me an error posted: May 1, 2007 3:17 PM

Click to view mreeds's profile Enthusiast
mreeds
40 posts since
Nov 14, 2006
I have tried our Platinum support channel with no resolution so I am forced to rely on you gurus for an answer.

(Backgroun) After following RapidApps Quick Start Guide to ESX 3.0 on how to have ESX authenticate AD users I get the following :


When using SSHD via putty here is my result:

login as: sshd
sshd@xxxx's password: xxxxx
Access denied

Whn I used Console access from ESX

user: root
Login incorrect

Here's is the var/log/messages for this error

pam_krb5: authenticate error: Cannot read password (-1765328254)
pam_krb5: authentication fails for 'sshd'
failed password for sshd from x.x.x.x port 4785 ssh2

It appears that local authentication is being ignored as I have already tried to create a new user with grant shell access with same result. However, it fails to authenticate our AD user as well. We have confirmed that the AD user is active

Re: Add active directory user authentication in ESX3 and it gives me an error

1. May 1, 2007 8:10 PM in response to: mreeds
Click to view DFATAnt's profile Hot Shot
DFATAnt
141 posts since
Feb 18, 2007
I don't know how to resolve your current problem, but this is what I did to get AD authentication working on my esx servers (all of this is done in my post install script when I build the esx server):

esxcfg-auth --enablead --addomain your.domain -addc dc.your.domain --krb5realm your.domain --krb5kdc dc.your.domain --krb5adminserver dc.your.domain
esxcfg-auth --passmaxdays=0

I also did the following:

echo "#%PAM-1.0" > /etc/pam.d/vmware-authd
echo "auth sufficient /lib/security/pam_unix_auth.so shadow nullok" >> /etc/pam.d/vmware-authd
echo "auth required /lib/security/pam_krb5.so use_first_pass" >> /etc/pam.d/vmware-authd
echo "auth sufficient /lib/security/pam_ldap.so" >> /etc/pam.d/vmware-authd
echo "account sufficient /lib/security/pam_unix_acct.so" >> /etc/pam.d/vmware-authd
echo "account sufficient /lib/security/pam_ldap.sok" >> /etc/pam.d/vmware-authd

I'm not sure what all this does (I found it in another post in the forums), but it seems to get everything working for me.

To get the user accounts mapped, all you need to do is the following:

/usr/sbin/useradd userid

Make sure that "userid" is the same spelling as the AD userid.

I hope this helps.

Ant

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities