VMware Cloud Community
Ritmo2k
Enthusiast
Enthusiast
‎04-18-2015 08:00 PM

Creating users in vcenter

I need to create a local user on each esxi server with read privs on all the assets on the local esxi server. Easy enough to do on each host manually, however is their a way to do this within vcenter and have the user pushed down to each host?

Thanks!

Tags (1)
Reply
0 Kudos
13 Replies
Prakas
Enthusiast
Enthusiast
‎04-19-2015 07:42 AM

Hi,

Login to the ESXi host directly with VI client. There is a tab 'Local Users & Groups'. You can make use of it to add users. It is the easiest way, through GUI.

Capture.PNG

As far as I know, there is no way to grant access to the host directly through vCenter.

Reply
0 Kudos
Ritmo2k
Enthusiast
Enthusiast
‎04-19-2015 08:36 AM

Hi Prakash,
I appreciate your reply however I stated that I was looking for a centralized solution using vcenter, as what you describe is how I do it. Creating the user and associated passwords individually on each host presents a management issue and password synchronization issue.

Thanks.

Reply
0 Kudos
Prakas
Enthusiast
Enthusiast
‎04-19-2015 10:15 PM

Looks like that can be possible via PowerCLI. I found some relevant information in this article (refer Part 2 section)

Reply
0 Kudos
ScreamingSilenc
Expert
Expert
‎04-20-2015 01:03 AM

Using the Web Client

1. Browse to Administration > Access > SSO Users and Groups in the vSphere Web Client.

2. On the Users tab, click the New User icon.(The green + sign)

3. Type a user name and password for the new user. You cannot change the user name after you create a user. The password must meet the password policy requirements for the system.

4. Type the first name and last name of the new user.(Optional)

5. Type the email address for the new user.

6. Select the type of permissions the user is granted. User roles are incremental. More powerful roles are super sets of weaker roles.

Please consider marking this answer "correct" or "helpful" if you found it useful.
Reply
0 Kudos
Deano123
Enthusiast
Enthusiast
‎04-20-2015 04:20 AM

I believe that once the user has been created, following Mustafa's guide, you need to assign the new user permissions on the inventory object itself.  I made the mistake of just creating the user and assigning privileges but once the user had logged on all inventory items listed 0 and had access to nothing (I may have done it wrong though).  After logging back in right clicking the inventory object and selecting Add Permission I was able to add the user to the objects required.


That was my experience anyway Smiley Happy


Dean

Reply
0 Kudos
UmeshAhuja
Commander
Commander
‎04-20-2015 04:37 AM

Hi,

This is not a complete “ready to use” script – it should only give you a basic idea/overview, which commands you can use to perform the necessary steps

Connect-VIServer -Protocol https -Server <FQDN_or_IP_of_VMHost> -User root -Password “your_password”

New-VMHostAccount -Id -Password “your_new_password” -Description <description_of_the_user>

New-VIRole -Name <your_role_name> -Privilege “eg: Settings”

New-VIPermission -Entity <FQDN_or_IP_of_VMhost> -Principal <account_name> -Role “<your_role_name>” -Propagate:$true

1.command: will connect you to your ESXi host

2.command: will add a new local user

3.command: will add a new role with dedicated permissions. In the example above the permission “Global” – “Settings”

4.command: will assign the new role to the new user

Thanks n Regards
Umesh Ahuja

If your query resolved then please consider awarding points by correct or helpful marking.
Reply
0 Kudos
Ritmo2k
Enthusiast
Enthusiast
‎04-20-2015 06:02 AM

Hey guys,
So I logged in to the web client (don't have powercli access in this env yet, but I will add it) I followed these steps:

  1. Administration -> Single Sign-On -> User and Groups
  2. Under Users, I set domain to the SSO based domain (This vcenter server has sso setup with active directory).
  3. Under Access Control -> Global Permissions, I add the existing user and give it read only access.

Now for each host, I can see the inherited permission, regardless if I manually add the user explicitly, the login can not authenticate.
Does any host specific configuration need to be done to inform the hosts that they must pass defer authentication to the vcenter server?

Thanks!

Reply
0 Kudos
Deano123
Enthusiast
Enthusiast
‎04-20-2015 06:25 AM

If you log into the host and create users locally they will not be visible in vCentre.  But it sounds like your AD domain is not authenticating, try creating a new user in the vsphere.local domain through vCentre, assign the necessary roles, permissions and privileges and see if that user can log in?

Dean

Reply
0 Kudos
Ritmo2k
Enthusiast
Enthusiast
‎04-20-2015 06:55 AM

Hi,
I can log into the web client with an Active Directory account that has been given rights assigned by the initial Administrator@sso-domain setup during installation. The current user I have created locally on each host are not in use at the moment, however the new unique user in vcenter has been created within the sso domain as you describe. I'll either get tcpdump installed on the vcenter server, or setup a mirror port and look at traffic. I am curious what instructs the individual hosts to know a user is not local and defer authentication back to the managing vcenter server.

Thanks!

Reply
0 Kudos
Deano123
Enthusiast
Enthusiast
‎04-21-2015 03:29 AM

ok, I am still in a 5.1/5.5 environment so changes made in 6.0 may be different to what I am used to, so can;t answer that.  But, from my limited knowledge, wonder if are you using an authentication proxy and something is not right with that.  I am still learning so would be interesting to know if/when how it was fixed.

Dean

Reply
0 Kudos
Ritmo2k
Enthusiast
Enthusiast
‎04-21-2015 08:16 AM

Hi Dean,
So I joined a couple hosts to AD without using an authentication proxy (we don't use one) and simply tried to use an active directory user that has global top down admin privs. When using the web client as that user (and choosing windows auth), I most certainly have full administrative rights within vcenter, when using the C# client to connect to a host, if I use windows auth I get an error invalid user/pass. If I manually type my username and password, I get an error saying that user does not have rights on the host. I can see on the host that the permission is inherited though?

Any other ideas?

Thanks!

Reply
0 Kudos
Deano123
Enthusiast
Enthusiast
‎04-21-2015 08:48 AM

Your statement "when using the C# client to connect to a host," suggests that you are using the c# client to log into a host that is attached to a vcentre server and then trying to log in with domain credentials.  If that's the case, then my understanding would be that you need to connect to vcentre (web or c# client) with those creds and manage the hosts via that route.  If you are using the c# client to connect directly to the host then, as far as I am aware, those credentials won't work as the security mechanism is processed through VC.  If you need to connect directly to the host through the c# client then you would need to use local creds stored on the host itself, I am not aware that you can use Windows creds on a single host unless you have configured it, at host level, to work with AD.


Other than that I am at a loss i'm afraid..


Dean

Reply
0 Kudos
Ritmo2k
Enthusiast
Enthusiast
‎04-21-2015 10:44 AM

Hey Dean,
Thanks for all the patience. You are correct, I was logging in to the host directly with the C# client, I should have tried the console.

The end goal is to provide shell access to all hosts using a managed account. In other words, not creating the account locally on each host.

The fact you can join a host to AD suggests this should work. When I stoke up a network trace, I can see the traffic between the host and the AD domain, however I just can not get the authentication setup such that an AD user with privileges on that hosts can actually log on?

Thanks!

Reply
0 Kudos