VMware Cloud Community
cowboysteve
Contributor
Contributor
‎08-06-2010 12:26 PM

ESX 4.1 AD integration - lsassd.conf options

I'm trying to configure the likewise plugin to use /bin/bash for the user shell, and to create home directories for AD users when they login via SSH to my ESX server, however the specified options don't appear to have any effect:

# egrep -e 'homedir' -e 'shell' -e 'umask' -e 'skel' lsassd.conf

#login-shell-template = /bin/ash

login-shell-template = /bin/bash

  1. homedir-template setting

  1. homedir-prefix = <absolute path>

homedir-template = /home

  1. create-homedir = no

create-homedir = yes

  1. homedir-umask = 022

homedir-umask = 022

  1. Paths to skeleton directories for provisioning

  1. Default: /etc/skel

  1. skeleton-dirs = /etc/skel

skeleton-dirs = /etc/skel

How can I configure the likewise agent to use BASH for the shell, and create suitable home-dirs for AD users when they authenticate?

Second issue is more of an annoyance than a problem: I created the AD group "ESX Admins" as per the documentation, however members of that group are not able to authenticate successfully via SSH or vSphere client. In order to successfully authenticate, I had to explicitly add users from AD to the Administrators role. Is this a bug?

Thanks,

Steve.

0 Kudos
3 Replies
cowboysteve
Contributor
Contributor
‎08-06-2010 02:26 PM

I found the answer:

1. set homedir-prefix=/home

2. set homedir-template= %H/%U

stop service:

/etc/init.d/lsassd stop

remove cache file:

rm /etc/likewise/db/lsass-adcache.filedb

start service:

/etc/init.d/lsassd start

still no idea why I couldn't just add a group tho -- still have to explicitly list users for the administrator role.

0 Kudos
jbanda
Contributor
Contributor
‎09-30-2010 01:34 PM

Would you be able to post your lsassd.conf file? I'm having trouble getting the "create-homedir = yes" part to work. Below are the uncommented lines from mine:

domain-separator = \

log-level = error

path = /lib/liblsass_auth_provider_ad.so

login-shell-template = /bin/bash

homedir-prefix = /home

homedir-template = %H/%U

ldap-sign-and-seal = false

cache-entry-expiry = 4h

machine-password-lifespan = 30d

space-replacement = ^

assume-default-domain = yes

create-homedir = yes

homedir-umask = 022

skeleton-dirs = /etc/skel

cell-support = unprovisioned

nss-enumeration-enabled = no

The "login-shell-template = /bin/bash", "homedir-prefix = /home", "homedir-template = %H/%U", and "assume-default-domain = yes" configuration options seem to work for me. I'm able to log in via ssh without appening @domain.name", and the error I get is that it can't find my home directory at /home/username. My shell is also configured to be the bash shell. Having it auto-create the home directory at login is the last piece I'm missing.

0 Kudos
vmgov
Contributor
Contributor
‎10-13-2010 11:40 AM

Jbanda - Not sure that this is still an "issue" for you but if you take a look at this KB: you will see that those options for automatically creating the home directories are no longer supported/allowed. I ran into the same issue as you. So, I just wrote a simple bash script such as the following and run it on all my hosts after the update (I login to each one after I configure Active Directory authentication anyway so I just paste the lines of code once I'm logged in). Takes 2 seconds to do!

#!/bin/bash

userdel -f -r username

mkdir /home/username

chown username:domain^users /home/username

chmod 700 /home/username

The DEFAULT "space separator" in the lsassd.conf file is the " ^ " symbol which explains the "domain^users" in the group permissions in the above lines. If you've chosen a different character in the conf file you will need to use that in place of the ^ within "domain^users"

I hope this helps!!

0 Kudos