VMware

This Question is Answered

1 2 Previous Next 22 Replies Last post: May 13, 2009 9:13 AM by Texiwill   Go to original post

Re: root account lockout

15. May 11, 2009 1:42 PM in response to: lldmka
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

Moved to the Security forum.

DCs and DNS were down at the time - but I expected to be able to login as root, as per this excerpt from ‘Enabling Active Directory Authentication with ESX Server':

Q. What if my ESX Server computer cannot contact a domain controller?
A. By preserving root access to the local service console, authorized personnel can always log on as root, even if contact with the domain is lost.


You do this by making sure AD or Kerberos is NOT affecting any account with a uid < 500. It sounds like you have it affecting all accounts which will lead to the chicken and the egg lockout you are seeing.

In /etc/pam.d/system-auth you would use a line similar to

auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass minimun_uid=500


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: root account lockout

16. May 11, 2009 5:02 PM in response to: Texiwill
Click to view lldmka's profile Hot Shot
lldmka
127 posts since
Jan 15, 2006
Thanks Edward, that is similar to what Andrea recommended. I will try that.

The VMware document 'Enabling Active Directory Authentication with ESX Server' doesn't make any reference to this, or in fact any manual edit of configuration files. Perhaps an oversight on their part (as we aren't all Linux gurus).

Re: root account lockout

17. May 11, 2009 10:06 PM in response to: lldmka
Click to view lldmka's profile Hot Shot
lldmka
127 posts since
Jan 15, 2006
I recreated the environment (AD infrastructure powered down) to try to reproduce the problem - but couldn't. Login with the root account proceeds normally, without making the recommended changes to system-auth.

Having run into a dead end, I logged an SR with VMware and am awaiting a response.

Thanks for your help.

Re: root account lockout

18. May 12, 2009 8:01 AM in response to: lldmka
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

I documented it in http://www.astroarch.com/wiki/index.php/Full_Integration_of_Active_Directory which is quite a bit different than what VMware puts out. You really need that option. if AD is not running or you have 'lost' the cached credentials due to time then you will lock out the root account as it will look to go to pam_krb5.so for everything. It is how the pam modules work. Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for other techniques as well.

It is always best never to make 'root' part of your AD domain, but to add administrative users then if they do login use sudo instead of su or direct root access. root should be used only for critical issues as you had, so it should be made available outside any remote authentication service.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: root account lockout

19. May 12, 2009 11:31 AM in response to: lldmka
Click to view mpatnode's profile Novice
mpatnode
3 posts since
Jan 20, 2005

This is unfortunate. Most of the commercial AD bridge products have some sort of "root@localhost" mechanism, just like a Windows desktop has a local administrator. You might want to check the Samba mailing lists to see if they have anything equivalent. Maybe you should create a "toor" user who is only defined locally just for these situations.

mp

Re: root account lockout

20. May 13, 2009 7:00 AM in response to: mpatnode
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

The problem is that anything with a UID < 500 will be sent first to AD, regardless of whether there is such a username in AD or not. If that fails it will bail the login process. Its the UID in Linux that is really the issue. You could still create a 'toor' or 'root@localhost' account but because of the setup esxcfg-auth does by default, it will still send or try to send to AD and fail. Remember, Linux uses UIDs more than usernames. You need to not send UIDs < 500 to AD some would even claim UIDs < 1000 to AD so you can have your local users.

<br>Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: root account lockout

21. May 13, 2009 8:48 AM in response to: Texiwill
Click to view mpatnode's profile Novice
mpatnode
3 posts since
Jan 20, 2005
The problem is that anything with a UID < 500 will be sent first to AD, regardless of whether there is such a username in AD or not.

Is it the NSS module which is doing this? I'm fairly certain this situation can't occur with our software installed, but I'd like to make sure.

Mike Patnode - VP of Technology - Centrify Corporation
Integrating your Kerberos Realm with Active Directory
How secure is your OpenSSH deployment?

Re: root account lockout

22. May 13, 2009 9:14 AM in response to: mpatnode
Click to view Texiwill's profile Guru
Texiwill
10,205 posts since
Jan 13, 2004
Hello,

It is the pam modules. If you are using pam_krb5.so then it is the case. It depends on how the pam modules are setup more than anything. NSS happens in pam_unix mainly.

Also remember that hostd uses pam modules and you must protect the 'vpxuser' from using AD or you may get a worse mess depending on your level of integration. All this depends on your level of integration.....


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast
1 2 Previous Next Go to original post

Actions

VMware Developer

SDKs, APIs, Videos, Learn and much more in the Developer community.

Learn More

Developer Sample Code

Increase your developer productivity with VMware API sample code.

Learn More

VMworld Sessions & Labs

Online access to the latest VMworld Sessions & Labs and online services.

Learn more

Purchase PSO Credits Online

Purchase credits to redeem training and consulting services online.

Buy Now

Community Hardware Software

View reported configurations or report your own.

Learn More

VMware vSphere

Come witness the next giant leap in virtualization.

Register Today

Communities