Hi,
i'm able to execute commands with invoke-vmscript if i use local root credentials as guest credentials. Our Ubuntu system is domain joined with pam. My account is able to connect / login via SSH and vCenter console. I tried a simple "ls" and retrieve some files from SSH or vCenter console. If i use my domain account as guestcredential with invoke-vmscript then i get no Scriptoutput. The auth.log from Ubuntu shows no errors so my authentication is okay. The syslog from my ubuntu systems create a message "vmtoolsd[305]: /bin/bash: /tmp/vmware-DOMAINusername/powercliclivmware9: No such file or directory". The message is correct because the folder or file was not created. There is another folder named /tmp/vmware-DOMAIN\username.
Is here anybody who works with invoke-vmscript in a domain joined Ubuntu system?
Did you configure PAM with the option "Create home directory on login"?
You can check in /etc/pam.d/common-session or with the pam-auth-update command.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
In our file common-session we have a line with
"session optional pam_winbind.so mkhomedir"
I think this one would create a home directory for every user. If i want to try "pam-auth-update" then i have to --force it and it will override all customized files.
This looks to be indeed an issue with Invoke-VMScript.
Which PowerCLI version are you using?
Did you already try the same with my Invoke-VMScriptPlus function?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
My PowerCLi Version is 6.5.4.7155375.
I will test your Invoke-VMScriptPlus function and give feedback as soon as possible.
You might also consider an upgrade of your PowerCLI version.
We are currently at 11.2
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
I found a solution I think, it's a missing line in the sssd.conf file (at least it was for me).
In the auth.log you will see entries like the following when running Invoke-VMScript with an AD account.
Mar 26 19:31:02 ubuntu1 VGAuth[333]: pam_sss(vmtoolsd:account): Access denied for user lucd@local.lab: 6 (Permission denied)
Turns out that you need to specify in the sssd.conf file the following
ad_gpo_map_batch = +vmtoolsd
Restart sssd with 'systemctl restart sssd', and now the Invoke-VMScript works with an AD account.
The auth.log now shows
Mar 26 19:53:05 ubuntu1 VGAuth[333]: pam_sss(vmtoolsd:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=lucd@local.lab
Mar 26 19:53:05 ubuntu1 VGAuth[333]: vmtoolsd: Username and password successfully validated for 'lucd@local.lab'
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference