Hi,
I recently deployed the vMA 4.1 in our environment with Active Directory (AD) Integration. My question is how do I restrict login access? Any domain user can login to the vMA as it is now.
Thanks
Yes, you can control this by taking a look at the Likewise configuration file located in /etc/likewise/lsassd.conf
You'll want to search for the following section and update the list which only allows certain groups or users to login, this is how you would restrict the login access to the users/groups that you want to allow:
# Allow only the following users and groups # to login to this system # # Note: Use a comma-separated list of # { alias, NT4 style name, SID } # # require-membership-of = ABC\support group, ABC\joe, jane, S-1-5-21-3447809367-3151979076-456401374-513
uncomment out require-membership-of and provide your comma separated list
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware VCP3,4
VMware VCAP4-DCA
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Yes, you can control this by taking a look at the Likewise configuration file located in /etc/likewise/lsassd.conf
You'll want to search for the following section and update the list which only allows certain groups or users to login, this is how you would restrict the login access to the users/groups that you want to allow:
# Allow only the following users and groups # to login to this system # # Note: Use a comma-separated list of # { alias, NT4 style name, SID } # # require-membership-of = ABC\support group, ABC\joe, jane, S-1-5-21-3447809367-3151979076-456401374-513
uncomment out require-membership-of and provide your comma separated list
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware VCP3,4
VMware VCAP4-DCA
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Thank you! I had a hard time trying to find any information on this...
In my environment , I found only users with Domain Admin or Administrators group privilege can log onto the vMA.
Is this ture?
I used a test domain account and it was able to login to the vma, it does not have rights, but still able to login. I followed the steps in lsassd.conf file but I am having issues.
domain\user works
vi-admin works
domain\group does not work
Not sure why, anyone?
So far on my vMA, I can only use users with Domain Admin or Administrators privilege to log onto the vMA.
Even I modify the /etc/likewise/lsassd.conf file and add the following line:
require-membership-of = Administrator, mydomain\serviceGroup, mydomain\ESX^Admins
Restart the service and still can't get any accounts in the "serviceGroup" or the "ESX Admins" group to log on successfully.
Anyone has similar problems and solutions?
hey mobychein,
did you mean Administrator as a local user? i didnt see domain name before it.
Try to to leave only mydomain\serviceGroup without the others groups..
btw, mydomain\ESX^Admins you shouldn't write the ^ its works fine without it "mydomain\ESX Admins"
I can confirm this works on individual users, I don't have a group to test with, but you may want to take a look at the logs while performing the logins.
I basically added only 1 user to the access list and tried to login with another user and you should see something like this in the logs:
Oct 20 07:31:39 tancredi lsassd[2048]: 0x4571f940:Error: User [primp] not in restricted login list Oct 20 07:31:45 tancredi lsassd[2048]: 0x49325940:KRB5 Error at krbtgt.c:130: [Code:-1765328360] [Message: Preauthentication failed] Oct 20 07:31:45 tancredi lsassd[2048]: 0x49325940:Failed authenticate user [primp] [code 32789]
You should setup another SSH session and run the command:
tail -f /var/log/messages
With regards to restarting the service, that is unnecessary and may not work actually. You just need to reload the configuration by running:
sudo /opt/likewise/bin/lw-refresh-configuration
I also have other tips/tricks on using Likewise here on my blog that may also be of help - http://www.virtuallyghetto.com/2010/06/how-to-configure-likewise-open-ad.html
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware VCP3,4
VMware VCAP4-DCA
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Yes, I have the following line in the in /etc/likewise/lsassd.conf:
require-membership-of = mydomain\serviceGroup
Did the "sudo /opt/likewise/bin/lw-refresh-configuration" command
then add the user to the serviceGroup, and try to lon onto vMA and failed
Check the error log using
sudo tail -20 /var/log/messages
got these error messages:
Oct 21 13:29:12 myvma lsassd[2074]: 0x4485d940:User S-1-5-21-313401996-1908442290-172059434-1113 has an invalid value for the userAccountControl attribute. Please check that it is set and that the machine account has permission to read it.
Oct 21 13:29:12 myvma lsassd[2074]: 0x47061940:User S-1-5-21-313401996-1908442290-172059434-1113 has an invalid value for the userAccountControl attribute. Please check that it is set and that the machine account has permission to read it.
However, I could use any of the user accounts in the Domain Admin or Administrators groups, to log onto the vMA.
<Deleted>
I configure /etc/ssh/sshd_config to only allow certain groups to login, it works perfectly.
AllowGroups
Thanks for the suggestions.
But, we still tried to figure out why normal user account can't log onto the vMA in our case.