VMware Cloud Community
kseniuk1
Contributor
Contributor
Jump to solution

ESX4.1 SSH access for Active Directory User.

I upgraded one of my test servers from 4.0 update 2 to ESX 4.1. I am trying to figure out how to configure SSH access for my Active Directory account. I have joined the host to active directory and granted my AD acount administrator permissions on the host. If I try and ssh to the host with my AD account I am getting access denied. I can connect via the vSphere Client with my AD account successfully. SSH works with a local account on the ESX4.1 server. I tried both with just my username at the SSH login as well as domain\username. Using domain\username actually hangs the host and I have to do a hard reset to get it back.

Anyone get this to work?

With 4.0 update 2 I used esxcfg-auth --enablead and then created a user with no password on the host. That command no longer exists on 4.1 though.

Reply
0 Kudos
1 Solution

Accepted Solutions
timmp
Enthusiast
Enthusiast
Jump to solution

I do have an update here for people interested. I found it frustrating that moving from vSphere 4.0 to 4.1 disabled ssh AD kerberos access unless you used the "AD Authentication" setup via the VI Client. I ran into the identical issue with PCPU 0 errors and the server actually rebooting itself when trying to ssh using my AD Account. The issue is that if you are part of >30 security groups (in my case it was only 23), the server would lock up and sometimes even reboot. I validated with another AD account that was only a member of just 3 sec groups and it was able to login without locking up ESX or causing a reboot.

Additionally, in my lab where I run VCenter 4.1 and both nodes are now 4.1, I use the "AD Authentication" and it works fine with users only part of a limited number of SEC groups in AD.

VMWare said this issue has been escalated to engineering.

FYI, this affects ESX and ESXi.

View solution in original post

Reply
0 Kudos
22 Replies
chadwickking
Expert
Expert
Jump to solution

Maybe this will help:

http://www.virtualizetips.com/2010/07/configure-vmware-esxi-4-1-for-active-directory-integration/

Smiley Happy

and this was interesting as well:

http://www.vladan.fr/ad-integration-for-esxi-4-1/

It helped me.






Cheers,

Chad King

VCP-410 | Server+

Twitter: http://twitter.com/cwjking

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
kseniuk1
Contributor
Contributor
Jump to solution

Didn't work. The link deals specifically with ESXi and this is ESX but I thought that username@domain.com might work. As soon as I try and SSH to the service console as that user I get disconnected and then a Host Conenction State Alarm is generated.

On the console of the host I see

0:05:43:52.448 cpu2:4098)Heartbeat : 575 PCPU 0 didn't have a heartbeat for 60 seconds. may be locked up.

Does this on both of the ESX 4.1 test hosts I have running.

Reply
0 Kudos
chadwickking
Expert
Expert
Jump to solution

You also have to create an esx admins group did you do that as well? This one is for ESX.

http://ict-freak.nl/2010/09/12/how-to-configure-vsphere-4-1-active-directory-authentication/

I am curious about the error though I will do more research for you on that.

Found some interesting Hits here as well... when doing upgrades particular.

http://communities.vmware.com/thread/275973?start=15&tstart=0






Cheers,

Chad King

VCP-410 | Server+

Twitter: http://twitter.com/cwjking

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
kseniuk1
Contributor
Contributor
Jump to solution

Thanks Chad. I created the ESX Admins account and it automatically appeared on the hosts with administrator rights. I tried to connect again and got the same CPU locked message. I have opened up a ticket with vmware to see what they say.

Reply
0 Kudos
chadwickking
Expert
Expert
Jump to solution

Well at least the AD part is taken care of the CPU lock problem is very unusual - please keep me posted as i would like to know as well.

--

Cheers,

Chadwick J. King

VCP - 410 | Comptia Server+

Twitter:@cwjking

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
chadwickking
Expert
Expert
Jump to solution

Any word back from vmware?

Cheers,

Chad King

VCP-410 | Server+

Twitter:

If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Cheers, Chad King VCP4 Twitter: http://twitter.com/cwjking | virtualnoob.wordpress.com If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful
Reply
0 Kudos
timmp
Enthusiast
Enthusiast
Jump to solution

I do have an update here for people interested. I found it frustrating that moving from vSphere 4.0 to 4.1 disabled ssh AD kerberos access unless you used the "AD Authentication" setup via the VI Client. I ran into the identical issue with PCPU 0 errors and the server actually rebooting itself when trying to ssh using my AD Account. The issue is that if you are part of >30 security groups (in my case it was only 23), the server would lock up and sometimes even reboot. I validated with another AD account that was only a member of just 3 sec groups and it was able to login without locking up ESX or causing a reboot.

Additionally, in my lab where I run VCenter 4.1 and both nodes are now 4.1, I use the "AD Authentication" and it works fine with users only part of a limited number of SEC groups in AD.

VMWare said this issue has been escalated to engineering.

FYI, this affects ESX and ESXi.

Reply
0 Kudos
kseniuk1
Contributor
Contributor
Jump to solution

Interesting. Thanks for the info. I am going to have to check and see how many groups I am a member of. I have not been able to speak with the engineer assigned to my ticket yet.

Reply
0 Kudos
kseniuk1
Contributor
Contributor
Jump to solution

I have confirmed that this is indeed my issue. I created a test user and was able to replicate the problem after adding that user to too many AD groups.

The engineer from VMware also was able to confirm that this is currently an issue that is on their list of bugs to fix.

Kevin

Reply
0 Kudos
BenConrad
Expert
Expert
Jump to solution

I was able to repeat this as well. I'm in 34 groups, when I log in using username@domain the 4.1 host crashes and reboots itself. That is beyond scary.

NOTE: I'm running ESX 4.1 inside of ESX in order to rapidly test my Kickstart scripts.

PSOD attached:

PS: In order to bypass the Likewise AD authentication you can use the following:

esxcfg-auth --enablekrb5 --krb5realm=your.domain --krb5kdc=your.domain --krb5adminserver=your.domain

esxcfg-auth --enablead is deprecated, no longer works.

Reply
0 Kudos
Xeonel
Enthusiast
Enthusiast
Jump to solution

I'm seeing the exact issue on my environment. Luckly I've noticed it before upgrading the whole cluster, so now I've got one host in maintenance mode until this is sorted out. I've just opened a support request with VMware.

After reading your post, I've verified in AD and I'm indeed part of 30+ groups. Maybe it also counts the nested groups and that's why it happened to you as well.

I also managed to catch the PSOD, so if someone's interested, I've attached it here.

Reply
0 Kudos
jkntgraham
Contributor
Contributor
Jump to solution

I had the exact same issue today and I am only a member of 10 groups. I hope VMware fixes this very soon or I wished I would have read this post before 9:30 this morning when my host rebooted and kicked HA into action. HA takes to long in my estimation to go into effect, mine took 10 minutes or so before the VMs started back up.

Reply
0 Kudos
Ultramar
Contributor
Contributor
Jump to solution

I'm experiencing the same problem.

Anyone got news regarding a fix for this issue?

Reply
0 Kudos
jkntgraham
Contributor
Contributor
Jump to solution

I opened a case up with VMware and they are aware and said this:

The approximate ETA is end of October. It's not a hard ETA as QA testing can push it further out, but I would expect to see it in a month's time.

The patch number is ESX410-201010001

Josh

Reply
0 Kudos
geemail
Contributor
Contributor
Jump to solution

Anone receive any further word on this from VMWare....I am seeing the exact same issue

Thanks

Reply
0 Kudos
cwany70
Contributor
Contributor
Jump to solution

I opened case in VMware support for similar problem.

Answer is "fix for this is to be released with 4.1 update 1 however I do not have a confirmed date for that release yet."

Reply
0 Kudos
geemail
Contributor
Contributor
Jump to solution

@cwany70

We are running ESX 4.1.0 Build 260247 and still seeing the issue.

Or are you saying an actual update to 4.1 is expected to fix the issue?

Thanks

Reply
0 Kudos
cwany70
Contributor
Contributor
Jump to solution

Support Eng said that Update 1 for ESX4.1 is expected to fix the issue

Reply
0 Kudos
geemail
Contributor
Contributor
Jump to solution

Thanks...that would be great....do you happen to know an anticipate releas date for Update 1 ?

Reply
0 Kudos