Or you use a AD authentication (in this way user can change his password from AD) or you have to give a minimal shell access to change the password.

I wasn't aware you could use AD to authenticate a user to an ESX host. All documentation I could find on this subject was about previous versions of ESX. However, I tried to do the following:

• delete then recreate without a password the user frperrin (my username on the company AD);

• run " esxcfg-auth --enablead --addomain=AD2 --addc=SERVER" (where AD2 and SERVER where taken from the values of %USERDOMAIN% and %LOGONSERVER% on my Windows laptop).

But it doesn't work: whether I try to connect via SSH or via the vSphere Client to the ESX, my password is denied.

I can see in /var/log/secure the following message:

Oct 19 11:15:14 lahcspv02 sshd[4409]: pam_per_user: create_subrequest_handle(): doing map lookup for user "frperrin"
Oct 19 11:15:14 lahcspv02 sshd[4409]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="frperrin", service="system-auth-generic")
Oct 19 11:15:14 lahcspv02 sshd[4409]: pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=frlann0l017643.fr.XXXX  user=frperrin
Oct 19 11:15:14 lahcspv02 sshd[4409]: pam_krb5[4409]: authentication fails for 'frperrin' (frperrin@AD2): Authentication failure (KDC reply did not match expectations)
Oct 19 11:15:16 lahcspv02 sshd[4409]: Failed password for frperrin from 135.XXXX port 2093 ssh2

The "KDC reply did not match expectations" makes me think that the communication between the controller and the ESX host is not working. If I run tcpdump, I can see a couple of UDP packets between the two. If I change AD2 to something else, the error I get in /var/log/secure is an authentication failure too, but for a different reason (KRB5 error code 68). So the communication is somewhat working, but not really.

Anything else I can look?

Message was edited by: FredericPerrin (markup)

Some more research pointed me to try the tool /usr/lib/vmware/webAccess/java/jre1.5.0_15/bin/kinit. It exhibits different errors:

• with the wrong domain :

Exception: krb_error 68 null (68) null
KrbException: null (68)
Caused by: KrbException: Identifier doesn't match expected value (906)

• with the correct domain, and the wrong password:

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
Caused by: KrbException: Identifier doesn't match expected value (906)

• with the correct password:

Exception: krb_error 41 Message stream modified (41) Message stream modified
KrbException: Message stream modified (41)

Now I'm lost, and I don't know how to dig deeper. Any idea?

The clock is in sync with AD DC?

In AD you have a computer entry for ESX?

Andre

I didn't know there was a need for the AD to know in advance each

and every computer that was going to use the AD (can you tell I'm not

at ease with MS' technologies ? ). Actually I don't even see the

point for the AD to know its clients...

Anyway, thanks a lot André.