esxi 5 and AD integration

billdossett · ‎11-22-2012

Hi,

I am having problems getting my esxi hosts to authenticate via AD.

I have read many blogs, documents and posts and believe I have set things up correctly.

Both of my hosts have their DNS set to the domain and both have joined my domain.

I have created the ESX Admins group and put my users in it.

Something a bit curious, someone in their blog said you have to connect viclient directly to the host and add permissions... but when i do that I can't add users/permissions, it can't seem to find the domain. Also when I look at the host Authentication configuration when connected directly to it, the host says it is doign local authentication, not domain. But when I look at my host configuration through the Vcenter server, it appears that it is doing AD authentication and the domain is listed and the optoin Leave Domain is there. I am unsure about this discrepency.

Should I be connecting directly to the host to configure host AD authentication?

In any case I can't login to my host using the VI client and a domain login that is in the ESX Admins. I have also added other users directly in the permissions and they dont' work either.

Also I can not SSH into the host using a domain login. There at least I an see in the auth.log that it is an unknown user. I am not sure if addition configuration needs to be done in PAM to allow SSH? But as the VI Client can't login, surely something is wrong to start with.

I would appreciate any guidance on this subject - I have never run into this in the past as my old datacenter only used AD authentication to Vcenter server that was on a domain server and it just worked. My new place of work uses AD host authentication and I'm just trying to get my head around how it works

Bill Dossett

jrmunday · ‎11-22-2012

I have read many blogs, documents and posts and believe I have set things up correctly.

Have you seen and read through this blog (it's really useful);

http://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

billdossett · ‎11-22-2012

Hi Jon, yes I did...

It seems so simple, but something is wrong.

The first half, joining the domain went fine. Both hosts are joined when I look at them in the vcenter server.

It's the next bit where you say to connect the viclient directly to the host. When I connect directly to the host, the hosts say local auth under configuration and when I try to add permissions either the domain isn't there at all... how does the host find the DC? they can ping the DC by name, but perhaps they aren't aren't able to determine who the DC is? But then how could then join the domain when I joined the from the Vcenter server??? I seem to be having multiple problems along this line.

One thig to note, these hosts have been autodeployed. The domain is joined via the host profile, not sure if there could be any issues there, but the hosts are compliant and after reboot they are members of the domain accourding to the configuation tab ->Authentication setting

Both hosts can resolve the domain controller fine by name. thanks for your reponse, it is an excellent blog and easy to follow but I must have something slightly wrong in my domain I guess.

Bill Dossett

jrmunday · ‎11-22-2012

Are your hosts fully qualified and have you checked your DNS zones - both forward and reverse lookups?

From the DCUI, run these commands;

~ # esxcli system hostname get
   Domain Name: my.domain.com
   Fully Qualified Domain Name: esx01.my.domain.com
   Host Name: esx01

~ # esxcli network ip dns search list
DNSSearch Domains: my.domain.com

~ # esxcli network ip dns server list

DNSServers: xx.xx.xx.xx, xx.xx.xx.xx

Do you get the domain list in you dropdown if you try and add permissions to the host through vCenter?

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

billdossett · ‎11-22-2012

Hi Jon, thank you for the quick reply.

Yes the hosts are all fully qualifed and have forward and reverse in DNS.

All three commands return the correct information.

Yes I do get the domain dropdown when I add permissions via the vcenter server, and I can add permissons. I have added several users as administrators, yet none can login to the hosts themselves via viclient or ssh. As stated when I try to ssh to the host using a domain name:

ssh -l BILLD\\administrator esxi1.billd.pvt

I get this in the auth log:

2012-11-22T14:25:03Z sshd[25020]: pam_per_user: create_subrequest_handle(): doing map lookup for user "BILLD\Administrator"

2012-11-22T14:25:03Z sshd[25020]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="BILLD\Administrator", service="system-auth-generic")

2012-11-22T14:25:03Z sshd[25019]: Postponed keyboard-interactive for invalid user BILLD\\Administrator from 172.16.160.1 port 54981 ssh2

2012-11-22T14:25:06Z sshd[25020]: pam_unix(system-auth-generic:auth): check pass; user unknown

2012-11-22T14:25:06Z sshd[25020]: pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.160.1

2012-11-22T14:25:08Z sshd[25019]: error: PAM: User not known to the underlying authentication module for illegal user BILLD\\Administrator from 172.16.160.1

2012-11-22T14:25:08Z sshd[25019]: Failed keyboard-interactive/pam for invalid user BILLD\\Administrator from 172.16.160.1 port 54981 ssh2

2012-11-22T14:25:08Z sshd[25021]: pam_per_user: create_subrequest_handle(): doing map lookup for user "BILLD\Administrator"

2012-11-22T14:25:08Z sshd[25021]: pam_per_user: create_subrequest_handle(): creating new subrequest (user="BILLD\Administrator", service="system-auth-generic")

2012-11-22T14:25:08Z sshd[25019]: Postponed keyboard-interactive for invalid user BILLD\\Administrator from 172.16.160.1 port 54981 ssh2

The viclient login in hostd.log yields more or less the same:

pam_per_user: create_subrequest_handle(): doing map lookup for user "BILLD\Administrator"

pam_per_user: create_subrequest_handle(): creating new subrequest (user="BILLD\Administrator", service="system-auth-generic")

pam_unix(system-auth-generic:auth): check pass; user unknown

pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

2012-11-22T14:33:06.217Z [3F1C3B90 verbose 'SoapAdapter'] Responded to service state request

2012-11-22T14:33:13.447Z [3F1C3B90 verbose 'Cimsvc'] Ticket issued for CIMOM version 1.0, user root

2012-11-22T14:33:19.479Z [3EA9AB90 verbose 'SoapAdapter'] Responded to service state request

2012-11-22T14:33:24.945Z [FFE81B90 info 'Vmomi'] Activation [N5Vmomi10ActivationE:0xffd847d0] : Invoke done [waitForUpdates] on [vmodl.query.PropertyCollector:ha-p

2012-11-22T14:33:24.945Z [FFE81B90 verbose 'Vmomi'] Arg version:

--> "27"

2012-11-22T14:33:24.945Z [FFE81B90 info 'Vmomi'] Throw vmodl.fault.RequestCanceled

2012-11-22T14:33:24.945Z [FFE81B90 info 'Vmomi'] Result:

--> (vmodl.fault.RequestCanceled) {

--> dynamicType = <unset>,

--> faultCause = (vmodl.MethodFault) null,

--> msg = "",

--> }

I have attached a picture of the permissions page for that host as seen from the vcenter server.

Thanks again for your help looking at this - it's becoming an annoyance now!

Bill Dossett

jrmunday · ‎11-22-2012

Have a look at this blog;

http://rcmtech.wordpress.com/2012/08/21/active-directory-authentication-for-esxi-host-management/

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

tellotim · ‎03-08-2013

In the domain field I had to use the full path to the computer object in AD. For Example: domain.com/XX/Site/Servers/VMware . After this everything worked as expected.

Also have a PowerCLI command that might help:

get-vmhostauthentication

-vmhost $item.host | set-VMHostAuthentication -domain $item.domain -User $User -Password $Password -JoinDomain