VMware Cloud Community
Bergold
Enthusiast
Enthusiast
‎03-25-2019 03:55 AM

Invoke-VMScript to an domain joined Ubuntu VM

Hi,

i'm able to execute commands with invoke-vmscript if i use local root credentials as guest credentials. Our Ubuntu system is domain joined with pam. My account is able to connect / login via SSH and vCenter console. I tried a simple "ls" and retrieve some files from SSH or vCenter console. If i use my domain account as guestcredential with invoke-vmscript then i get no Scriptoutput. The auth.log from Ubuntu shows no errors so my authentication is okay. The syslog from my ubuntu systems create a message "vmtoolsd[305]: /bin/bash: /tmp/vmware-DOMAINusername/powercliclivmware9: No such file or directory". The message is correct because the folder or file was not created. There is another folder named /tmp/vmware-DOMAIN\username.

Is here anybody who works with invoke-vmscript in a domain joined Ubuntu system?

Reply
0 Kudos
6 Replies
LucD
Leadership
Leadership
‎03-25-2019 04:01 AM

Did you configure PAM with the option "Create home directory on login"?

You can check in /etc/pam.d/common-session or with the pam-auth-update command.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Bergold
Enthusiast
Enthusiast
‎03-25-2019 11:48 PM

In our file common-session we have a line with

"session optional   pam_winbind.so mkhomedir"

I think this one would create a home directory for every user. If i want to try "pam-auth-update" then i have to --force it and it will override all customized files.

Reply
0 Kudos
LucD
Leadership
Leadership
‎03-26-2019 12:07 AM

This looks to be indeed an issue with Invoke-VMScript.

Which PowerCLI version are you using?

Did you already try the same with my Invoke-VMScriptPlus function?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Bergold
Enthusiast
Enthusiast
‎03-26-2019 01:12 AM

My PowerCLi Version is 6.5.4.7155375.

I will test your Invoke-VMScriptPlus function and give feedback as soon as possible.

Reply
0 Kudos
LucD
Leadership
Leadership
‎03-26-2019 01:31 AM

You might also consider an upgrade of your PowerCLI version.

We are currently at 11.2


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
LucD
Leadership
Leadership
‎03-26-2019 12:03 PM

I found a solution I think, it's a missing line in the sssd.conf file (at least it was for me).

In the auth.log you will see entries like the following when running Invoke-VMScript with an AD account.

Mar 26 19:31:02 ubuntu1 VGAuth[333]: pam_sss(vmtoolsd:account): Access denied for user lucd@local.lab: 6 (Permission denied)

Turns out that you need to specify in the sssd.conf file the following

ad_gpo_map_batch = +vmtoolsd

Restart sssd with 'systemctl restart sssd', and now the Invoke-VMScript works with an AD account.

The auth.log now shows

Mar 26 19:53:05 ubuntu1 VGAuth[333]: pam_sss(vmtoolsd:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=lucd@local.lab

Mar 26 19:53:05 ubuntu1 VGAuth[333]: vmtoolsd: Username and password successfully validated for 'lucd@local.lab'


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos