jonb157
Enthusiast
Enthusiast

AD authentication in Vi4 problems

Jump to solution

Hi, I used the same old command as 3.5 with "esxcfg-auth ..." and then added users with "useradd joe"

However, whenever I login with the account, it isn't working with AD passwords. I've made sure NTP is working correctly. Did something change in Vi4 in regards to the pam.d files? Should I be changing any of these? I didn't have to in 3.5 when enabling ESX AD authentication. I've also verified "ActiveDirectorkerberos" is enabled on my ESX firewall. any ideas?

0 Kudos
1 Solution

Accepted Solutions
chriswaltham
Enthusiast
Enthusiast

I had three problems, though because I'd done so much playing with esxcfg-auth I have no idea how many of the problems I was responsible for Smiley Happy

In my /etc/krb5.conf, I had specified the admin_server as listening on the wrong port; for my environment it should be port 464. Also, there was no kdc server specified, so I put the our KDC server in. However, once I'd done that, I couldn't telnet to port 88 on our KDC. I needed to run this command, even though I'd enabled ActiveDirectorKerberos in my security profile (via the VC GUI):

esxcfg-firewall -o 88,tcp,out,kerberos

I just did a clean configure of an ESX4 host, this is what I needed to do:

/usr/sbin/esxcfg-auth --enablead --addomain=domainname.edu --addc=domainname.edu --krb5kdc=domainname.edu --enablekrb5 --krb5realm=DOMAINNAME.EDU --krb5adminserver=domainname.edu
/usr/sbin/esxcfg-firewall -o 88,tcp,out,kerberos

That does everything I need, including using the correct ports.

View solution in original post

0 Kudos
17 Replies
AndreTheGiant
Immortal
Immortal

I think that something as change.

In ESX 3.5 was used pam_smb.

But in ESX 4 there isn't and instead there is pam_krb5.

Probably the old command doesn't work.

Andre

**if you found this or any other answer useful please consider allocating points for helpful or correct answers

Andre | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
0 Kudos
liqin75
Contributor
Contributor

Did you work on ESX 4.0 freshly installed host or did you upgrade it from ESX 3.5.x?

If you work on a host upgraded from ESX 3.5.x, then you should execute esxcfg-auth command again after upgrade to configure ESX server to AD Domain.

There are differences in PAM configuration for AD between ESX 3.5 and ESX 4.0

0 Kudos
jonb157
Enthusiast
Enthusiast

It was a fresh install and I ran the command to configure AD auth afterwards. I'm just thinking that there might be another file to edit or something with this version; I can't figure it out though.

0 Kudos
chriswaltham
Enthusiast
Enthusiast

I'm having the exact same problem as the OP. In VI3.5, I would configure my ESX hosts like so:

esxcfg-auth --enablead --addomain=bowdoincollege.edu --addc=bowdoincollege.edu

And then add users like this:

useradd -g wheel cwaltham

However, that doesn't seem to work in vSphere. When I try and SSH to my ESX4.0 host, I get this error in /var/log/secure:

Jun 12 13:39:43 ephram sshd[8606]: pam_per_user: create_subrequest_handle(): doing map lookup for user "cwaltham"
Jun 12 13:39:43 ephram sshd[8606]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="cwaltham", service="system-auth-generic")
Jun 12 13:39:43 ephram sshd[8606]: pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=desktop.bowdoin.edu  user=cwaltham
Jun 12 13:39:51 ephram sshd[8606]: pam_krb5[8606]: authentication fails for 'cwaltham' (cwaltham@BOWDOINCOLLEGE.EDU): Authentication service cannot retrieve authentication info (Cannot contact any KDC for requested realm)
Jun 12 13:39:52 ephram sshd[8606]: Failed password for cwaltham from xxx.xxx.xxx.xxx port 60450 ssh2

However, both the

id

and

su

commands work fine; i.e. I can

su

to my Active Directory account -- I just can't log in via SSH with it.

0 Kudos
liqin75
Contributor
Contributor

Jonb157

Can you pls attch the following files

/etc/pam.d/system-auth-generic

/etc/krb5.conf

/etc/nsswitch.conf

/var/log/messages when SSH was being done (with /etc/ssh/sshd_config configured for more logging into system log)

0 Kudos
uchinchan
Contributor
Contributor

/etc/pam.d/system-auth-generic is for remote users

/etc/pam.d/system-auth-local is for local user

/etc/pam.d/system-auth is linked to /etc/pam.d/login.map which contains the rules for local and remote users

pam-unix must fail but pam-krb5 should succeed in /var/log/secure

This is what we get here:

Jun 15 12:49:48 MyHost sshd[17797]: pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=blr-3rd-2-dhcp235.eng.vmware.com user=<UserName>

Jun 15 12:49:48 MyHost sshd[17797]: pam_krb5[17797]: authentication succeeds for '<UserName>' (<UserName>@ADServer.com

Jun 15 12:49:48 MyHost sshd[17797]: Accepted password for <UserName> from <ClientHost> port 1888 ssh2

Please have a look at /etc/nsswitch.conf and make sure there is no NIS or any such thing after passwd and shadow

Authentication to AD is succeeding here

0 Kudos
uchinchan
Contributor
Contributor

Here is the nsswitch.conf with working configuration

  1. Autogenerated by esxcfg-auth

aliases: files nisplus

automount: files nisplus

bootparams: nisplus files

ethers: files

group: files

hosts: files dns

netgroup: nisplus

netmasks: files

networks: files

passwd: files

protocols: files

publickey: nisplus

rpc: files

services: files

shadow: files

#

0 Kudos
jonb157
Enthusiast
Enthusiast

Here is the content from my files....

#%PAM-1.0M-1.0

  1. Autogenerated by esxcfg-auth

account sufficient /lib/security/$ISA/pam_krb5.so

account required pam_unix.so

auth required pam_env.so

auth sufficient pam_unix.so try_first_pass nullok

auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass

auth required pam_deny.so

password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0

password sufficient pam_unix.so try_first_pass use_authtok nullok shadow md5

password sufficient /lib/security/$ISA/pam_krb5.so use_authtok

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

session sufficient /lib/security/$ISA/pam_krb5.so

session pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

  1. Autogenerated by esxcfg-auth

MYLAB.com = MYLAB.COM

.MYLAB.com = MYLAB.COM

default_realm = MYLAB.COM

MYLAB.COM = {

admin_server = DCLAB1.MYLAB.com:464

default_domain = MYLAB.com

kdc = DCLAB1.MYLAB.com:88

}

  1. Autogenerated by esxcfg-auth

aliases: files nisplus

automount: files nisplus

bootparams: nisplus files

ethers: files

group: files

hosts: files dns

netgroup: nisplus

netmasks: files

networks: files

passwd: files

protocols: files

publickey: nisplus

rpc: files

services: files

shadow: files

0 Kudos
uchinchan
Contributor
Contributor

Hi Jon,

Just a guess, can you please check by opening the DNS port (53) both ways

Thanks,

0 Kudos
uchinchan
Contributor
Contributor

Otherwise the configuration looks good. Tried with the exact /etc/pam.d/system-auth-generic on my ESX box and it works fine. I am able to authenticate to 2003 Native AD Server

0 Kudos
chriswaltham
Enthusiast
Enthusiast

I had three problems, though because I'd done so much playing with esxcfg-auth I have no idea how many of the problems I was responsible for Smiley Happy

In my /etc/krb5.conf, I had specified the admin_server as listening on the wrong port; for my environment it should be port 464. Also, there was no kdc server specified, so I put the our KDC server in. However, once I'd done that, I couldn't telnet to port 88 on our KDC. I needed to run this command, even though I'd enabled ActiveDirectorKerberos in my security profile (via the VC GUI):

esxcfg-firewall -o 88,tcp,out,kerberos

I just did a clean configure of an ESX4 host, this is what I needed to do:

/usr/sbin/esxcfg-auth --enablead --addomain=domainname.edu --addc=domainname.edu --krb5kdc=domainname.edu --enablekrb5 --krb5realm=DOMAINNAME.EDU --krb5adminserver=domainname.edu
/usr/sbin/esxcfg-firewall -o 88,tcp,out,kerberos

That does everything I need, including using the correct ports.

View solution in original post

0 Kudos
jonb157
Enthusiast
Enthusiast

Ah, opening the firewall port 88 for Kerberos did the trick for me! In the past I always opened up activeDirectorKerberos via the VI Client, but I guess in vSphere you have to open via the console also. thanks!

0 Kudos
chriswaltham
Enthusiast
Enthusiast

Me, too. I'm not sure why they made the change? I suppose it might be a bug...

0 Kudos
uchinchan
Contributor
Contributor

esxcfg-auth opens the ports when executed with --enablead option

0 Kudos
chriswaltham
Enthusiast
Enthusiast

I'm using --enablead and it doesn't open the outgoing port.

0 Kudos
uchinchan
Contributor
Contributor

Hi chriswaltham,

Thanks for your inputs!

The following ports are opened for activeDirectoryKerberos service (as per /etc/vmware/firewall/services.xml file):

<service id='0026'>

<id>activeDirectorKerberos</id>

<rule id='0000'>

<direction>outbound</direction>

<protocol>tcp</protocol>

<port type='dst'>464</port>

<flags>-m state --state NEW</flags>

</rule>

<rule id='0001'>

<direction>outbound</direction>

<protocol>udp</protocol>

<port type='dst'>88</port>

<flags>-m state --state NEW</flags>

</rule>

</service>

It is opening DST 464 TCP and DST 88 UDP

However as per kerberos wiki here: http://wiki.wireshark.org/Kerberos

UDP TCP: Originally Kerberos used UDP as its transport protocol but modern implementations also support TCP to overcome PDU size limitations in UDP. All modern clients support TCP but older clients might not

So i believe we could open TCP port 88 also since it would be used by modern clients

0 Kudos
COOKVMUser
Contributor
Contributor

You can change the /etc/vmware/firewall/services.xml to inlclude:

<service id='0026'>

<id>activeDirectorKerberos</id>

<rule id='0000'>

<direction>outbound</direction>

<protocol>tcp</protocol>

<port type='dst'>464</port>

<flags>-m state --state NEW</flags>

</rule>

<rule id='0001'>

<direction>outbound</direction>

<protocol>udp</protocol>

<port type='dst'>88</port>

<flags>-m state --state NEW</flags>

</rule>

<rule id='0002'> <direction>outbound</direction> <protocol>tcp</protocol> <port type='dst'>88</port> <flags>-m state --state NEW</flags> </rule>

</service>

This way you will open and close the port properly with "esxcfg-auth --enablead"

brakerm19

0 Kudos