VMware Cloud Community
BenConrad
Expert
Expert
‎09-28-2010 03:14 PM

How-to: Crash your ESX 4.1 host in 6 easy steps.

I was getting familiar with setting up the 4.1 Likewise Open AD authentication and the intricacies of the 'ESX Admins' group when I noticed that my ESX 4.1 Tst server (running in a VM) had rebooted. After some testing I realized that when I logged in with my AD account via SSH the ESX host would crash with a NMI.

This has been discussed in this thread: http://communities.vmware.com/thread/285872, I didn't see a KB article on this so I thought I would create a new post to get people aware of this.

I've confirmed this both on the Tst ESX 4.1 VM and a BL460c G6 (4.1), here are the steps to reproduce:

1) Build ESX 4.1 host

2) Setup the integrated AD Authentication via the VI client, join domain, etc

3) Create 'ESX Admins' group in AD, secure this group, keep this group empty, don't use it, it will automatically become a member of the Administrators on the host, change its role to 'no access'.

4) Add your AD user account to the list of 'Administrators' on the ESX host via Permissions tab

5) Make sure you AD user account is a member of 20-30+ AD groups (I'm a member of 34 groups)

6) Log in via SSH as username@my.domain and...

BANG. NMI. Server goes off the network and is unresponsive. I got the attached NMI screen shot from the VM. Server needs to be reset via iLo.

Alternatives to the Likewise AD authentication:

esxcfg-auth --enablead no longer works but if you were using it in the past you can use:

esxcfg-auth --enablekrb5 --krb5realm=your.domain --krb5kdc=your.domain --krb5adminserver=your.domain

I tested this on a fresh build and when logging in with my account it does not crash the server.

Ben

Preview file
2 KB
0 Kudos
11 Replies
lamw
Community Manager
Community Manager
‎09-28-2010 03:34 PM

Have you filed an SR with VMware Support and have them confirm this issue?

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

0 Kudos
maishsk
Expert
Expert
‎09-28-2010 04:04 PM

I cannot re-create this on an ESXI host running ESXi build 260247

I have not tried this with full ESX version though.
Maish

VMware Communities User Moderator

- @maishsk

Maish Saidel-Keesing • @maishsk • http://technodrone.blogspot.com • VMTN Moderator • vExpert • Co-author of VMware vSphere Design
0 Kudos
BenConrad
Expert
Expert
‎09-28-2010 07:50 PM

I performed this test on a heavily customized (Kickstart) ESX build. I'll be able to re-test this on Thursday morning on a vanilla Kickstart with no customizations. Based on what I find I'll submit a SR on this and will keep this thread updated.

FYI, in the thread I referenced 'timmp' says this affects ESX and ESXi.

Ben

0 Kudos
BenConrad
Expert
Expert
‎09-29-2010 08:04 AM

Just re-tested, built a ESX 4.1 box with no %post in the Kickstart, so essentially a base config.

Added to the domain, set 'ESX Admins' to 'no access', added my AD administrator account to the Administrators role, when I log in via SSH the host crashes. Has to be power cycled. The server does not crash if I use an account that is in only a few AD groups.

I tested using the VI client (not SSH) and the server does not crash.

I'll try ESXi on Thursday, then I'll open a SR with support.

Ben

0 Kudos
BenConrad
Expert
Expert
‎09-30-2010 08:17 AM

I'm not able to crash ESXi 4.1either, at this time it seems this procedure only crashes ESX 4.1 'classic' hosts.

0 Kudos
jjhkim
Contributor
Contributor
‎11-29-2010 11:56 AM

We experienced the same thing on two of our Dell R900 servers running ESX 4.1 (build 260247). We allow AD authentication. I'm a member of 26 groups. We didn't set up an ESX Administrators group (we have no admin rights to the DCs, we allowed local admin rights to individual users). Another person is going to test this later today. He is only a member of 6 distros. I will report results.

0 Kudos
BenConrad
Expert
Expert
‎11-29-2010 11:59 AM

Patch ESX410-201010001 should fix this problem, I have not tested it yet.

Ben

0 Kudos
jjhkim
Contributor
Contributor
‎11-29-2010 12:19 PM

Ben is that publicly available? I can't search for it form VMWare's site nor is there a record of it in version history.

Thanks,

John

0 Kudos
maishsk
Expert
Expert
‎11-29-2010 12:23 PM

Please see here






Maish

VMware Communities User Moderator

Forum Upgrade Notice - the VMware Communities forums will be upgraded the weekend of December 12th. The forum will be in read-only mode from Friday, December 10th 6 PM PST until Sunday, December 12th 2 AM PST.

- @maishsk

Maish Saidel-Keesing • @maishsk • http://technodrone.blogspot.com • VMTN Moderator • vExpert • Co-author of VMware vSphere Design
0 Kudos
BenConrad
Expert
Expert
‎11-29-2010 12:25 PM

Yes, it's publicly available as a patch for 4.1 systems. It's on the vmware support web site.

Ben

0 Kudos
jjhkim
Contributor
Contributor
‎11-30-2010 01:55 PM

Guys, I can confirm that patch 201010001 does fix this issue. I was able to log into the cli of the esx 4.1 host using my AD credentials. Thanks guys for all your input. I look forward to future encounters in these forums.

0 Kudos