Solved: Auth Source Selection

Robert901 · ‎06-25-2015

Greetings all. New to the forums, so please bear with me.

I have ESXi 5.1 (each with different levels of updates - something I inherited when I started this job and hope to correct SOON) servers in my infrastructure that are set up to authenticate AD. Most of my servers can do this just fine. However, I have one that is SUPPOSEDLY joined to the domain, but when I go to add a new user and select the source as AD, the domain does not show up in the drop down source selection list and I am only able to create local user accounts. Is there something I am missing here? I done Google and Yahoo searches for hours and the only answers that I seem to be getting are related to vCenter, to which the server in question does not have a connection to.

Robert901 · ‎06-30-2015

Well, after some further digging, I finally found the answer to fix my problem:

* Leave the domain.

* Run /usr/sbin/services.sh restart

* Rejoin domain.

If that does not work by itself, then do this step one more time:

* Run /usr/sbin/services.sh restart

Just so that I can give credit where credit is due, I was able to find the answer at http://community.spiceworks.com/topic/588877-vmware-esxi-5-5-won-t-show-ad-users

View solution in original post

CoolRam · ‎06-25-2015

You need to go to Groups under the AD (active directory ) then you need to GO -Home -> Roles and add the new Roles and given some permission.

Once this done then you need to select the Datacenter and go to the Permission. Right Click on Empty space and add the Permission.

Click on Add Left side of the Pane - Add the group which you created in the AD Click ADD. In right Pane Select Roles you want to assign to that Group.

VMware vSphere 4 - ESX and vCenter Server

If you find any answer useful. please mark the answer as correct or helpful.

Anjani_Kumar · ‎06-25-2015

you must check if you host is eligible for Active Directory Authentication .

for that. Go to Host>configuration>Authentication servicesand see the directory service type is set to Active directory first.

Once you done with that. you can go ahead and start adding the users.with your associated domain.

Please consider marking this answer "correct" or "helpful" if you found it useful. Anjani Kumar | VMware vExpert 2014-2015-2016 | Infrastructure Specialist Twitter : @anjaniyadav85 Website : http://www.Vmwareminds.com

Robert901 · ‎06-26-2015

I did just that. And the domain still is not showing up in the drop down listing. Also, this particular server is not part of a vSphere datacenter.

Robert901 · ‎06-26-2015

This ESXi server is NOT part of a vSphere data center. It is a standalone server.

CoolRam · ‎06-26-2015

VMware vSphere 5.1

After this you need to add user to add . since this ad and sso you integrate which is register with vc . now you can see all the domain user and group . once you will go in permission tab .

If you find any answer useful. please mark the answer as correct or helpful.

Robert901 · ‎06-29-2015

This makes no sense since in my previous message I clearly state: "This ESXi server is NOT part of a vSphere/vCenter data center. It is a standalone server."

npadmani · ‎06-29-2015

If possible, just reboot the host and see if that helps. or have you tried that already?

normally it's needed that you reboot the host after joining it in AD in order to be able to see that as an additional identity source.

Narendra Padmani VCIX6-DCV | VCIX7-CMA | VCI | TOGAF 9 Certified

Robert901 · ‎06-29-2015

I have rebooted the server, but that did not change anything.

RyanH84 · ‎06-29-2015

Hi,

Are you able to SSH to the ESXi host and run the following:

vicfg-authconfig --authscheme AD --currentdomain (This should tell you if the host is joined to a domain)

If it think you are part of a domain, you can try the following:

vicfg-authconfig --authscheme AD --leavecurrentdomain (Leaves the domain)

vicfg-authconfig --authscheme AD --joindomain <domainname> --adusername <username> (Can join the host to a domain)

Give it a whirl, sometimes the CLI is useful in bypassing the GUI. Failing that, it might be worth checking some logs in /var/log (probably the vmkernel and maybe any others relating to auth) to look for errors.

Happy to help further!

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk

Robert901 · ‎06-29-2015

This is what I get when I run the first command:

~ # vicfg-authconfig --authscheme AD --currentdomain

-sh: vicfg-authconfig: not found

So it would appear that the vicfg-authconfig command is not available on this particular machine.

RyanH84 · ‎06-29-2015

Apologies, you'll need the vCLI to run those commands, you can get it from here!

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk

Robert901 · ‎06-29-2015

And this is what I get when I run the first two commands:

C:\Program Files (x86)\VMware\VMware vSphere CLI\bin>vicfg-authconfig.pl --authscheme AD --currentdomain --server 07820esxi01

Enter username: rwolfe2

Enter password:

Current Domain: MALCOCORP.LOCAL

C:\Program Files (x86)\VMware\VMware vSphere CLI\bin>vicfg-authconfig.pl --authscheme AD --leavecurrentdomain --server 07820esxi01

Enter username: rwolfe2

Enter password:

Could not part with the current domain: Current license or ESXi version prohibits execution of the requested operation.

Robert901 · ‎06-30-2015

Well, after some further digging, I finally found the answer to fix my problem:

* Leave the domain.

* Run /usr/sbin/services.sh restart

* Rejoin domain.

If that does not work by itself, then do this step one more time:

* Run /usr/sbin/services.sh restart

Just so that I can give credit where credit is due, I was able to find the answer at http://community.spiceworks.com/topic/588877-vmware-esxi-5-5-won-t-show-ad-users

All

Auth Source Selection