VMware Communities > VMTN > VMware Infrastructure™ > VI: ESX 3.5 > Discussions
Up to Discussions in VI: ESX 3.5

This Question is Answered

1 "helpful" answer available (6 pts)
9 Replies Last post: Apr 24, 2009 12:14 PM by wamatha
Reply

Service Console accounts/PAM authentication

Jun 6, 2007 2:32 PM

Click to view esiebert7625's profile Guru esiebert7625 6,790 posts since
Oct 23, 2006 Moderator
I'm setting up PAM authentication on one of our servers, when I go to do the useradd in the Service Console I get the error message "invalid user name". Our AD user accounts are all numbers, ie. 123456, my guess is Linux does not allow this. Is there any other way to map a user account from Linux to AD for PAM to work?
Reply Re: Service Console accounts/PAM authentication Jun 6, 2007 4:54 PM
Click to view Texiwill's profile Guru Texiwill 10,056 posts since
Jan 13, 2004 Moderator
Hello,

You are correct, useradd does not like accounts that start with numbers, however it is possible to use them once they are in the system. What steps are you using to integrate AD and ESX together?

Did you use:

esxcfg-auth --enablead --addomain=DOMAIN --addc=CONTROLLER

If you just do the above then that is only part of the full answer.

Where do the users home directories live? Are ACLs involved? Have you added the host as a Domain client, etc.? In general, for any remote authentication scheme, Linux often have to exist, there are ways around that as well.

Best regards,
Edward
Reply Re: Service Console accounts/PAM authentication Jun 6, 2007 5:06 PM
in response to: Texiwill
Click to view esiebert7625's profile Guru esiebert7625 6,790 posts since
Oct 23, 2006 Moderator
Thanks for the reply, I have PAM authentication configured and working on ESX, I created a test account without all numbers for this. The problem is I simply can't create a Linux user to match my AD user accounts since they are all numbers. I even tried creating a user with useradd then editing the passwd file with the all number username with no success, I documented the procedure below as I did it...

• Login to service console
• If you’re adding a user that does not exist in the Service Console you must first add it. Linux user accounts are stored in the etc/passwd file, you can open this file with Nano to see all the accounts that are created. Alternately you can load the VI client and connect directly to the ESX server and click the Users & Groups tab to see user accounts.
• To add a account type “useradd <username>” The username must match the samaccountname of the AD user. Alternately you can add the user using the VI client by clicking “Add” in the Users view.
• Next you need to enable PAM authentication in ESX, you use the esxcfg-auth command for this like below:
o esxcfg-auth -–enablead -–addomain=addomain.com -–addc=dcname.addomain.com -–krb5realm=addomain.com –-krb5kdc= dcname.addomain.com –-krb5adminserver= dcname.addomain.com
o “–-enablead” enables Active Directory authentication
o “—addomain” sets the Active Directory domain
o “--addc” sets the Active Directory domain controller, use this multiple times to add domain controllers for redundancy
o “—krb5realm” sets the Kerberos realm (AD domain)
o “—krb5kdc” sets the Kerberos Key Distribution Center (Domain Controller)
o “—krb5adminserver” sets the Kerberos Admin Server (Domain Controller)
• This takes effect immediately, log back in to the console and you should be able to use your AD password for that account. If you run into difficulty you can check the /var/log/messages file for errors. Also ensure that your ESX server can resolve the FQDN of the AD server you entered above.
• If you plan on logging in using the VI client directly to the ESX server you will first need to click on the Permissions tab in the VI Client and add a permission for the user.
• If you wish to disable this type “esxcfg-auth –-disablead”. Esxcfg-auth writes the configuration information to various files including /etc/krb5.conf
Reply Re: Service Console accounts/PAM authentication Jun 11, 2007 7:15 AM
in response to: esiebert7625
Click to view esiebert7625's profile Guru esiebert7625 6,790 posts since
Oct 23, 2006 Moderator
Is it possible to modify the kerberos config on the service console to not use the samaacountname field in AD and instead use a alternate field?
Reply Re: Service Console accounts/PAM authentication Jun 11, 2007 8:02 AM
in response to: esiebert7625
Click to view Texiwill's profile Guru Texiwill 10,056 posts since
Jan 13, 2004 Moderator
Hello,

Well, that is not how I integrate AD and Linux together. The esxcfg-auth is just the first step I find. You can actually setup a different way to integrate that does not require 'local' accounts and I think that is what you really want. Yes? In that case you also need samba and a few other configuration settings.

I have a recipe well documented for Fedroa Core, SLES, and RHEL3/4/5, but not yet for ESX. I will play with it some and tweak it for ESX. If you want the recipe please email me privately at elh at astroarch dot com. As I rather not post something that is not ESX specific here. It is on my short list to tweak anyways for a different project.

Best regards,
Edward
Reply Re: Service Console accounts/PAM authentication Jun 11, 2007 8:28 AM
in response to: Texiwill
Click to view doubleH's profile Expert doubleH 531 posts since
Dec 23, 2006
there was a good presentation from vmworld 2006 i believe. i'm having trouble locating it, but will post the link when i find it.
Reply Re: Service Console accounts/PAM authentication Jun 11, 2007 9:41 AM
in response to: doubleH
Click to view esiebert7625's profile Guru esiebert7625 6,790 posts since
Oct 23, 2006 Moderator
Thanks, there's another I found also from TSX...

ESX Console Security - http://www.vmware-tsx.com/download.php?asset_id=37
Reply Re: Service Console accounts/PAM authentication Jun 11, 2007 4:06 PM
in response to: esiebert7625
Click to view Texiwill's profile Guru Texiwill 10,056 posts since
Jan 13, 2004 Moderator
Hello,

Great presentation, that is exactly what I do when I integrate Linux (Service Console) and AD. Do note that the pam_access module is very important otherwise everyone will have access to the ESX Service Console.

If you do not pre-create home directories and do not use pam_mkhomedir then the user will be placed in "/" with no permissions to access anything except /tmp or anything else that is world-writable.

Unfortunatley, esxcfg-auth just does not do all this.

Best regards,
Edward
Reply Re: Service Console accounts/PAM authentication Jun 26, 2007 7:20 AM
in response to: esiebert7625
Click to view sbeaver's profile Guru sbeaver 7,718 posts since
Nov 1, 2004 Moderator
Eric,

If you are connecting to AD then do not specify a specific DC or Server. Just specify the domain

o esxcfg-auth -–enablead -–addomain=addomain.com -–addc=addomain.com -–krb5realm=addomain.com –-krb5kdc= addomain.com –-krb5adminserver=addomain.com

DNS will point the ESX server to the correct place
Reply Re: Service Console accounts/PAM authentication Apr 24, 2009 12:14 PM
in response to: sbeaver
Click to view wamatha's profile Enthusiast wamatha 38 posts since
Jul 29, 2008

I tried this but still the same problem

Apr 24 11:28:51 esx sshd14899: pam_krb5: authenticate error: ASN.1 encoding ended unexpectedly (1859794437)
Apr 24 11:28:51 esx sshd14899: pam_krb5: authentication fails for `xxx'

I have 25 servers that am getting the same error

Actions
Up to Discussions in VI: ESX 3.5