mmm, I ran 'useradd -m ', but I use kerberos to AD.

Can't you just use the VI client to connect to the

ESX server and use the Re: Add active directory user authentication in ESX3User & Groups[/b] tab? I'm

not sure since we haven't done AD integration.

Hi

Yes no problem. You just have to modify the /etc/pam.d/vmware-authd file to enable kerberos authentication. I also prefer to enable active directory authentication via kerberos. To be able to authenticate to the ESX using the VI client just add the following line at the top to /etc/pam.d/vmware-authd

auth       sufficient /lib/security/pam_krb5.so use_first_pass

You'll still be able to logon with local root user.

regards

Michael

Re: Add active directory user authentication in ESX3Do you need to add the user first special? /i

Once you have the authentication piece configured correctly I would think you just need to add the user via the command line, as Re: Add active directory user authentication in ESX3wuderon[/b] posted, though I'm not sure exactly if it will work that without kerberos, or use the VI Client and add them that way.

To clear up things I'll post all the steps needed to authenticate against Active Directory.

Re: Add active directory user authentication in ESX3Open Firewall ESX Ports[/b]

esxcfg-firewall --openPort 88,tcp,out,KerberosClient

esxcfg-firewall --openPort 464,tcp,out,KerberosPasswordChange

Re: Add active directory user authentication in ESX3Enable AD and Kerberos options[/b]

esxcfg-auth --enablead --addomain domain.com --addc dc.domain.com

esxcfg-auth --enablekrb5 --krb5realm=domaon.com --krb5kdc=dc.domain.com

Enable Kerberos authentication through VI Client

Add the following line at the top of the file /etc/pam.d/vmware-authd

auth       sufficient   /lib/security/pam_unix_auth.so shadow nullok

Re: Add active directory user authentication in ESX3Check and edit the auto generated kerberos config file /etc/krb5.conf[/b]Here's mine...

\# Autogenerated by esxcfg-auth

\[appdefaults]

pam = {

        debug = false

        forwardable = true

        krb4_convert = false

        renew_lifetime = 36000

        ticket_lifetime = 36000

}

\[domain_realm]

.flhosp.net = FLHOSP.NET

example.com = EXAMPLE.COM

.example.com = EXAMPLE.COM

.domain.com= DOMAIN.COM

flhosp.net = FLHOSP.NET

domain.com = DOMAIN.COM

\[kdc]

profile = /var/kerberos/krb5kdc/kdc.conf

\[libdefaults]

ticket_lifetime = 24000

dns_lookup_realm = false

default_realm = DOMAIN.COM

dns_lookup_kdc = false

\[logging]

default = FILE:/var/log/krb5libs.log

admin_server = FILE:/var/log/kadmind.log

kdc = FILE:/var/log/krb5kdc.log

\[realms]

EXAMPLE.COM = {

        admin_server = kerberos.example.com:749

        default_domain = example.com

        kdc = kerberos.example.com:88

}

FLHOSP.NET = {

        admin_server = admin_server:749

        default_domain = flhosp.net

        kdc = flhosp.net:88

}

DOMAIN.COM = {

        admin_server = dc.domain.com:464

        default_domain = domain.com

        kdc = dc.domain.com:88

        kdc = dc2.domain.com:88

}

Re: Add active directory user authentication in ESX3Create local user objects[/b]You still have to create local users on your esx bos. But the authentication (password) will be checked against AD. Create your own script to sync AD groups and users or use the LDAP_Search script of sbeaver.

http://www.vmguru.com/files/10/scripts/entry12.aspx

Hope this helps...

regards

Michael

What a timely thread - I need to get this done asap.

One question:

esxcfg-auth --enablead --addomain domain.com --addc dc.domain.com

esxcfg-auth --enablekrb5 --krb5realm=domaon.com --krb5kdc=dc.domain.com

Looks like this is only lets you use one specific domain controller - what if you want to add several?  Possible?  Add a list of them in this one line, like dc1.domain.com; dc2.domain.com; etc.  (and if so, separated by semicolons, commas, or what)?

Or just repeat the whole line with a new dc entry on each?