VMware Cloud Community
RichardBrown
Contributor
Contributor
‎03-09-2015 05:35 AM

Domain users with root permissions

I have integrated our ESXi 5.5 hosts with AD and have a group levels to provide which level of permissions are granted over VC.

However when logging in over cli the access is limited and users need to su to root privileges to do pretty much anything. Is it possible to elevate AD access to have root permissions over cli and shell without su, as we want to keep the root passwords secret, if this is possible would anyone know of a script to automate this.

Thanks in advance

Reply
0 Kudos
4 Replies
jonathanp
Expert
Expert
‎03-09-2015 08:44 PM

Hi,

     have you created the "ESX Admins" group in AD and added user as member of that group...

As stated in the VMware KB below :

If the group exists in AD, it is granted the Administrator role on the host and any user accounts in that group gets full administrative privileges on the host and can log in to the host through SSH.


This state ESXi 4.1 and 5.0, but is applicable to 5.5.


VMware KB: Using the ESX Admins AD group with ESX/ESXi 4.1 and ESXi 5.0 domain membership and user a...

Jon.

Reply
0 Kudos
RichardBrown
Contributor
Contributor
‎03-11-2015 04:25 AM

Hi Jon,

Yes the domain admins group do have admin rights over vCenter and they can login to the hosts via SSH the issue is elevating their permissions to root rights over the host. At the moment when we login using our domain creds we can't do any basic troubleshooting even esxtop doesn't work. So i need to find a way of allowing root rights over a host by using domain accounts without su'ing to the root account so that we can keep our root password secret for security.

Rich

Reply
0 Kudos
herwonowr
Enthusiast
Enthusiast
‎03-12-2015 01:01 AM

Try using sudo configuration so that the user can execute commands as root.

Do it like in this KB : VMware KB: Enabling the use of a non-root user for hot cloning of a Linux source machine

If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, HR.
Reply
0 Kudos
RichardBrown
Contributor
Contributor
‎03-16-2015 04:02 AM

Thanks herwonowr,

I wanted to know if there is a way of granting root rights over an AD account without having to SU or SUDO to root. We want to keep the root password secret.

Rich

Reply
0 Kudos