Hi, I used the same old command as 3.5 with "esxcfg-auth ..." and then added users with "useradd joe"
However, whenever I login with the account, it isn't working with AD passwords. I've made sure NTP is working correctly. Did something change in Vi4 in regards to the pam.d files? Should I be changing any of these? I didn't have to in 3.5 when enabling ESX AD authentication. I've also verified "ActiveDirectorkerberos" is enabled on my ESX firewall. any ideas?
I had three problems, though because I'd done so much playing with esxcfg-auth I have no idea how many of the problems I was responsible for
In my /etc/krb5.conf, I had specified the admin_server as listening on the wrong port; for my environment it should be port 464. Also, there was no kdc server specified, so I put the our KDC server in. However, once I'd done that, I couldn't telnet to port 88 on our KDC. I needed to run this command, even though I'd enabled ActiveDirectorKerberos in my security profile (via the VC GUI):
esxcfg-firewall -o 88,tcp,out,kerberos
I just did a clean configure of an ESX4 host, this is what I needed to do:
/usr/sbin/esxcfg-auth --enablead --addomain=domainname.edu --addc=domainname.edu --krb5kdc=domainname.edu --enablekrb5 --krb5realm=DOMAINNAME.EDU --krb5adminserver=domainname.edu /usr/sbin/esxcfg-firewall -o 88,tcp,out,kerberos
That does everything I need, including using the correct ports.
I think that something as change.
In ESX 3.5 was used pam_smb.
But in ESX 4 there isn't and instead there is pam_krb5.
Probably the old command doesn't work.
Andre
**if you found this or any other answer useful please consider allocating points for helpful or correct answers
Did you work on ESX 4.0 freshly installed host or did you upgrade it from ESX 3.5.x?
If you work on a host upgraded from ESX 3.5.x, then you should execute esxcfg-auth command again after upgrade to configure ESX server to AD Domain.
There are differences in PAM configuration for AD between ESX 3.5 and ESX 4.0
It was a fresh install and I ran the command to configure AD auth afterwards. I'm just thinking that there might be another file to edit or something with this version; I can't figure it out though.
I'm having the exact same problem as the OP. In VI3.5, I would configure my ESX hosts like so:
esxcfg-auth --enablead --addomain=bowdoincollege.edu --addc=bowdoincollege.edu
And then add users like this:
useradd -g wheel cwaltham
However, that doesn't seem to work in vSphere. When I try and SSH to my ESX4.0 host, I get this error in /var/log/secure:
Jun 12 13:39:43 ephram sshd[8606]: pam_per_user: create_subrequest_handle(): doing map lookup for user "cwaltham" Jun 12 13:39:43 ephram sshd[8606]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="cwaltham", service="system-auth-generic") Jun 12 13:39:43 ephram sshd[8606]: pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=desktop.bowdoin.edu user=cwaltham Jun 12 13:39:51 ephram sshd[8606]: pam_krb5[8606]: authentication fails for 'cwaltham' (cwaltham@BOWDOINCOLLEGE.EDU): Authentication service cannot retrieve authentication info (Cannot contact any KDC for requested realm) Jun 12 13:39:52 ephram sshd[8606]: Failed password for cwaltham from xxx.xxx.xxx.xxx port 60450 ssh2
However, both the
id
andsu
commands work fine; i.e. I cansu
to my Active Directory account -- I just can't log in via SSH with it.Jonb157
Can you pls attch the following files
/etc/pam.d/system-auth-generic
/etc/krb5.conf
/etc/nsswitch.conf
/var/log/messages when SSH was being done (with /etc/ssh/sshd_config configured for more logging into system log)
/etc/pam.d/system-auth-generic is for remote users
/etc/pam.d/system-auth-local is for local user
/etc/pam.d/system-auth is linked to /etc/pam.d/login.map which contains the rules for local and remote users
pam-unix must fail but pam-krb5 should succeed in /var/log/secure
This is what we get here:
Jun 15 12:49:48 MyHost sshd[17797]: pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=blr-3rd-2-dhcp235.eng.vmware.com user=<UserName>
Jun 15 12:49:48 MyHost sshd[17797]: pam_krb5[17797]: authentication succeeds for '<UserName>' (<UserName>@ADServer.com
Jun 15 12:49:48 MyHost sshd[17797]: Accepted password for <UserName> from <ClientHost> port 1888 ssh2
Please have a look at /etc/nsswitch.conf and make sure there is no NIS or any such thing after passwd and shadow
Authentication to AD is succeeding here
Here is the nsswitch.conf with working configuration
Autogenerated by esxcfg-auth
aliases: files nisplus
automount: files nisplus
ethers: files
group: files
hosts: files dns
netgroup: nisplus
netmasks: files
networks: files
passwd: files
protocols: files
publickey: nisplus
rpc: files
services: files
shadow: files
Here is the content from my files....
#%PAM-1.0M-1.0
Autogenerated by esxcfg-auth
account sufficient /lib/security/$ISA/pam_krb5.so
account required pam_unix.so
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required pam_deny.so
password required /lib/security/$ISA/pam_passwdqc.so min=8,8,8,7,6 similar=deny match=0
password sufficient pam_unix.so try_first_pass use_authtok nullok shadow md5
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session sufficient /lib/security/$ISA/pam_krb5.so
session pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Autogenerated by esxcfg-auth
MYLAB.com = MYLAB.COM
.MYLAB.com = MYLAB.COM
default_realm = MYLAB.COM
MYLAB.COM = {
admin_server = DCLAB1.MYLAB.com:464
default_domain = MYLAB.com
kdc = DCLAB1.MYLAB.com:88
}
Autogenerated by esxcfg-auth
aliases: files nisplus
automount: files nisplus
ethers: files
group: files
hosts: files dns
netgroup: nisplus
netmasks: files
networks: files
passwd: files
protocols: files
publickey: nisplus
rpc: files
services: files
shadow: files
Hi Jon,
Just a guess, can you please check by opening the DNS port (53) both ways
Thanks,
Otherwise the configuration looks good. Tried with the exact /etc/pam.d/system-auth-generic on my ESX box and it works fine. I am able to authenticate to 2003 Native AD Server
I had three problems, though because I'd done so much playing with esxcfg-auth I have no idea how many of the problems I was responsible for
In my /etc/krb5.conf, I had specified the admin_server as listening on the wrong port; for my environment it should be port 464. Also, there was no kdc server specified, so I put the our KDC server in. However, once I'd done that, I couldn't telnet to port 88 on our KDC. I needed to run this command, even though I'd enabled ActiveDirectorKerberos in my security profile (via the VC GUI):
esxcfg-firewall -o 88,tcp,out,kerberos
I just did a clean configure of an ESX4 host, this is what I needed to do:
/usr/sbin/esxcfg-auth --enablead --addomain=domainname.edu --addc=domainname.edu --krb5kdc=domainname.edu --enablekrb5 --krb5realm=DOMAINNAME.EDU --krb5adminserver=domainname.edu /usr/sbin/esxcfg-firewall -o 88,tcp,out,kerberos
That does everything I need, including using the correct ports.
Ah, opening the firewall port 88 for Kerberos did the trick for me! In the past I always opened up activeDirectorKerberos via the VI Client, but I guess in vSphere you have to open via the console also. thanks!
Me, too. I'm not sure why they made the change? I suppose it might be a bug...
esxcfg-auth opens the ports when executed with --enablead option
I'm using --enablead and it doesn't open the outgoing port.
Hi chriswaltham,
Thanks for your inputs!
The following ports are opened for activeDirectoryKerberos service (as per /etc/vmware/firewall/services.xml file):
<service id='0026'>
<id>activeDirectorKerberos</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type='dst'>464</port>
<flags>-m state --state NEW</flags>
</rule>
<rule id='0001'>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type='dst'>88</port>
<flags>-m state --state NEW</flags>
</rule>
</service>
It is opening DST 464 TCP and DST 88 UDP
However as per kerberos wiki here: http://wiki.wireshark.org/Kerberos
UDP TCP: Originally Kerberos used UDP as its transport protocol but modern implementations also support TCP to overcome PDU size limitations in UDP. All modern clients support TCP but older clients might not
So i believe we could open TCP port 88 also since it would be used by modern clients
You can change the /etc/vmware/firewall/services.xml to inlclude:
<service id='0026'>
<id>activeDirectorKerberos</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type='dst'>464</port>
<flags>-m state --state NEW</flags>
</rule>
<rule id='0001'>
<direction>outbound</direction>
<protocol>udp</protocol>
<port type='dst'>88</port>
<flags>-m state --state NEW</flags>
</rule>
<rule id='0002'> <direction>outbound</direction> <protocol>tcp</protocol> <port type='dst'>88</port> <flags>-m state --state NEW</flags> </rule>
</service>
This way you will open and close the port properly with "esxcfg-auth --enablead"
brakerm19