I was getting familiar with setting up the 4.1 Likewise Open AD authentication and the intricacies of the 'ESX Admins' group when I noticed that my ESX 4.1 Tst server (running in a VM) had rebooted. After some testing I realized that when I logged in with my AD account via SSH the ESX host would crash with a NMI.
This has been discussed in this thread: http://communities.vmware.com/thread/285872, I didn't see a KB article on this so I thought I would create a new post to get people aware of this.
I've confirmed this both on the Tst ESX 4.1 VM and a BL460c G6 (4.1), here are the steps to reproduce:
1) Build ESX 4.1 host
2) Setup the integrated AD Authentication via the VI client, join domain, etc
3) Create 'ESX Admins' group in AD, secure this group, keep this group empty, don't use it, it will automatically become a member of the Administrators on the host, change its role to 'no access'.
4) Add your AD user account to the list of 'Administrators' on the ESX host via Permissions tab
5) Make sure you AD user account is a member of 20-30+ AD groups (I'm a member of 34 groups)
6) Log in via SSH as username@my.domain and...
BANG. NMI. Server goes off the network and is unresponsive. I got the attached NMI screen shot from the VM. Server needs to be reset via iLo.
Alternatives to the Likewise AD authentication:
esxcfg-auth --enablead no longer works but if you were using it in the past you can use:
esxcfg-auth --enablekrb5 --krb5realm=your.domain --krb5kdc=your.domain --krb5adminserver=your.domain
I tested this on a fresh build and when logging in with my account it does not crash the server.
Ben
Have you filed an SR with VMware Support and have them confirm this issue?
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
I cannot re-create this on an ESXI host running ESXi build 260247
I have not tried this with full ESX version though.
Maish
VMware Communities User Moderator
- @maishsk
I performed this test on a heavily customized (Kickstart) ESX build. I'll be able to re-test this on Thursday morning on a vanilla Kickstart with no customizations. Based on what I find I'll submit a SR on this and will keep this thread updated.
FYI, in the thread I referenced 'timmp' says this affects ESX and ESXi.
Ben
Just re-tested, built a ESX 4.1 box with no %post in the Kickstart, so essentially a base config.
Added to the domain, set 'ESX Admins' to 'no access', added my AD administrator account to the Administrators role, when I log in via SSH the host crashes. Has to be power cycled. The server does not crash if I use an account that is in only a few AD groups.
I tested using the VI client (not SSH) and the server does not crash.
I'll try ESXi on Thursday, then I'll open a SR with support.
Ben
I'm not able to crash ESXi 4.1either, at this time it seems this procedure only crashes ESX 4.1 'classic' hosts.
We experienced the same thing on two of our Dell R900 servers running ESX 4.1 (build 260247). We allow AD authentication. I'm a member of 26 groups. We didn't set up an ESX Administrators group (we have no admin rights to the DCs, we allowed local admin rights to individual users). Another person is going to test this later today. He is only a member of 6 distros. I will report results.
Patch ESX410-201010001 should fix this problem, I have not tested it yet.
Ben
Ben is that publicly available? I can't search for it form VMWare's site nor is there a record of it in version history.
Thanks,
John
Please see here
VMware Communities User Moderator
Forum Upgrade Notice - the VMware Communities forums will be upgraded the weekend of December 12th. The forum will be in read-only mode from Friday, December 10th 6 PM PST until Sunday, December 12th 2 AM PST.
- @maishsk
Yes, it's publicly available as a patch for 4.1 systems. It's on the vmware support web site.
Ben
Guys, I can confirm that patch 201010001 does fix this issue. I was able to log into the cli of the esx 4.1 host using my AD credentials. Thanks guys for all your input. I look forward to future encounters in these forums.