VMware Cloud Community
conradsia
Hot Shot
Hot Shot

AD Directory Services .. change default ESX Admins group

I joined my 4.1 server to the domain but the default group that it wants to authenticate against it "ESX Admins" but I need to change that because our different divisions need to use their own groups for authentication so we don't all have access to each others servers.

Has anyone figured out how to change this group?

Also we used to use AD authentication with the esxcfg-auth -enablead etc .. commands and I tried to do this with the enablekerboros command but I am running into issues this way too. Authentication is successful then I get "permission denied". Has anyone got the "old" way working with AD authentication.

Thanks

Reply
0 Kudos
6 Replies
cblomart
Enthusiast
Enthusiast

Also had the problem and made kerberos work:

esxcfg-auth --enablekrb5 --krb5realm=$addomain --krb5kdc=$adserver --krb5adminserver=$adserver

The trick is to make the users members of an authorized group/username. This is set in /etc/security/access.conf

  1. cat /etc/security/access.conf

+:root:ALL

+:vpxuser:ALL

+:vslauser:ALL

-:ALL:ALL

so i made my used member of root group

useradd -G root <user>

It would be best to have more documentation on ad membership and to be able to set @ deployement (kickstart)

The few command i read about on the forum are from RCLI:

esxcfg-user

vicfg-authconfig

I suppose this is part of VMware view of remote management... it still doesn't integrate properly with our PXE deployement tool (Altiris).

Cédric

conradsia
Hot Shot
Hot Shot

Thanks for that info. Two things came about from making that change.

1. The change is not persistent and reverts after and a reboot. How did you make the change persistent?

2. Even though I can authenticate it is asking me to change my password and then fails to login. Did you experience this? I've seen this happen when my password is expiring but in this case it is not.

I am going to open a support call and see if there is a way to change the group that it wants to authentticate in AD in because this is ideally what I want to do. I will follow up.

Reply
0 Kudos
cblomart
Enthusiast
Enthusiast

As changes are not persistent, i simply made my new users members of a standardly authorized group.

By default the "root" group is authorized so i made users member of this group.

Concerning password reset i can not help you directly. My first guess would be that the password complexity enforced by ESX is tigther than the one in AD. I would not rely on password changes trought the ESX self. The best option would be to align policies of ESX ad AD.

Ps:

the access.conf mentionned is the default one so no change are needed for this one

again that's why i made users members of root group event if vpxuser can be considered

here is what can be found on password trought esxcfg-auth -p (i added the comments):

PASS_MAX_DAYS 99999 #(+/- 300 years)

PASS_MIN_DAYS 0 #(reset new passwords ok)

PASS_MIN_LEN 5 #(at least 5 characters)

PASS_WARN_AGE 7 #(warning during 1 week)

An other default setting that might be intresting in /etc/pam.d/system-auth:

password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0

Meaning:

-no similar passwords

-min is a bit tricky (password class distinction) but basicaly a normal password should be 8 characters long and a strong password can be 6 characters long...

conradsia
Hot Shot
Hot Shot

So it turns out my password was set to expire on the creation date of the account (strangely), so even though the AD authentication was successful the OS was requiring me to change my password.

I used chage -l <userrname> to see my settings and also passwd -S <username> and compared password settings to root.

After I changed the Max num of days to '-1' for my account the password was set to never expire and login was successful.

I'm going to go through my install and script again and see what could have caused that to happen, I'll also change the script to set esxcfg-auth --passmaxdays=-1

Thanks for your help. I still would like to change the esx admins group so I can add the server to the domain .... waiting to hear back from vmware.

-->> looking back in my script I noticed I already had the esxcfg-auth --passmaxdays=0 which worked in 4.0 and below but it now needs to be set to '-1' not '0' to turn off password aging globally.

Reply
0 Kudos
conradsia
Hot Shot
Hot Shot

I'm thinking of maybe just using ssh keys instead of AD ...

Reply
0 Kudos
peetz
Leadership
Leadership

With ESXi 5.0 this is now possible. Please see my blog post about this undocumented feature here:

http://v-front.blogspot.com/2012/01/undocumented-parameters-for-esxi-50.html

- Andreas

Twitter: @VFrontDe, @ESXiPatches | https://esxi-patches.v-front.de | https://vibsdepot.v-front.de
Reply
0 Kudos