Re: Problem regarding AD integration

RVJE · ‎07-28-2010

Hi,

I have an issue regarding ESX AD integration. I have a cluster with 4 servers in, all upgraded to ESX 4.1. I want to enable AD integration, so I'm able to log into the servers vwith SSH.

Server no. 1

The first esx I joined with no errors, but I could not log in with my AD credentials, I checked DNS /etc/nsswitch.conf, resolv.conf etc, removed it from the domain and joined the domain again. After I did this about ten times, it worked, I can now log into one server with my ad credentials using vSphere client, but if I try to log into the server using ssh the server freezes or reboots.

If I run lw-lsa get-status on the first server it lists all of the domain info as it's supposed to, and I can also look up my user with "lw-lsa find-user-by-name ' due to a network error" keeps appering, so obviously there is an error in the configuration, I just cant seem to find it.

Server no. 2

I tried joining another one of my servers, and it joined without errors again, but this time I cannot log in using my AD credentials, no matter how many times I leave and join the domain again.

If I run lw-lsa on server no.2 it does not list domain info, and I cannot find my own AD user, but again I have no clue why.

Can anybody help me?

Thanks alot,

Rasmus.

ProPenguin · ‎07-28-2010

Have you checked the /etc/hosts file?

f10 · ‎07-28-2010

I would strongly recommend that you take a look at http://kb.vmware.com/kb/1021970 and ensure that all the steps are verified.

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

f10

Regards, Arun Pandey VCP 3,4,5 | VCAP-DCA | NCDA | HPUX-CSA | http://highoncloud.blogspot.in/ If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

RVJE · ‎07-29-2010

@ProPenguin

What would I have to check for in the /etc/hosts file? I have checked the file on many occations, but I would'nt know what to look for.

@f10

I did follow that kb article, many times, but it wont work.

Thanks alot for you help, I hope you can help me further.

/Rasmus

ProPenguin · ‎07-29-2010

When I have added linux computers to the domain, I needed to make sure that the Fully Qualified name was in the hosts file. So the computer knew who it was. Not possitive this will fix your issue but hopefully it is helpful.

Example:

127.0.0.1 localhost

127.0.0.1 Server.domain.com

RVJE · ‎08-03-2010

Sorry I have'nt replied earlier, I've been out of town.

I checked my /etc/hosts file, it was fine.

I'm lost for ideas now, I think I'll start a support case with VMware, unless you have more ideas left.

Thanks alot for your suggestions.

Cheers,

Rasmus

Ravager0 · ‎08-03-2010

Pretty much same issue here out of 3 identically built servers.

1 worked fine, no problems at all.

1 won't let me login with a ad account

1 crashes and reboots when trying to log in with a ad account.

AD intergration is definately flakey.

RVJE · ‎08-03-2010

Well to be honest, I'm happy that I'm not alone out there.

Unfortunatly I wont have time to ask VMware for help before me vacation, so for now I'll see if I can grant root access from ssh. If I find a solution in the meantime I'll be sure to post it.

Cheers,

Rasmus

Cheminots · ‎08-17-2010

We just implemented vSphere 4.1 in our lab environment last week and we're having the same issue as describe above.

All AD authentication works except when authenticating through SSH with our domain account. Our support is done via HP and we have a case opened since last week on this issue and they just replied saying that vmware confirmed this is an issue with their new code and there's no workaround.

Until we get a new fix, we won't used this option

To be followed.

macgreen · ‎09-15-2010

Having similar symptoms.

Added my 4 ESX hosts computer objects to AD.

Then configured Authentication Services and added each host to the Domain.

Joined successfully.

Then used vsphere client and logged on as root initally directly to each host.

Under permissions added two AD users as Administrators.

Now logged into each ESX host using the vsphere client as the AD user - success.

Next used SSH to logon to each ESX host as AD user - success.

..some days later...

Can no longer log onto a couple of my hosts.

Logon to problem hosts via the client using root account, and check permissions tab, and my users have disappeared.

In vCenter I select each problem host and ask to Leave Domain.

Then re-Join then back and they work. Within 24 hours they are not in the Domain.

I concur AD integration is definitely flaky.

My environment:-

vSphere 4.1 :

• ESX 4.1 Servers

• vCenter Server 4.1 (VM) :

- Windows Server 2008 64bit

- MS SQL 2005 (VCDB/VUMDB)

• NetBackup 6.5.5

- VCB 1.5 U1

• FC SAN

My environment:- vSphere 4.1 : • ESX 4.1 Servers • vCenter Server 4.1 (VM) : - Windows Server 2008 64bit - MS SQL 2005 (VCDB/VUMDB) • NetBackup 6.5.5 - VCB 1.5 U1 • FC SAN

Ravager0 · ‎09-15-2010

There was a bug thread posted just the other day on this, apprently its if your ad account is a member of a large AD domain with more then 32 groups.

I nearly fell out of my chair as even in a very small AD domain admin accounts are going to have more then 32 groups.

Keeping in mind that this is a bug that makes your vsphere server crash instantly and brings down all VM the instant any AD account attempts to logon with more then 32 groups I would be rating this as one of the most serious bugs in ESX ever but a month later there is no fix.....

macgreen · ‎09-16-2010

Can you give a link to the bug thread please.