Multiple subdomain and AD authentication

schultejanj · ‎04-27-2010

All,

Earlier I finally got AD authentication working with my ESX servers. Now I find myself against a wall that I find hard to believe enterprise-ready VMware can't answer. I say this as it relates directly to a post by iforeman on 1/25/08, titled Multiple submains and AD authentication. His post received no reply.

The issue I have is the same as iforeman's and it is this:

I have admins in europe, in eu.home.com and admins in USA, in us.home.com

My krb5.conf works fine for single domain authentication.

If the default-realm is set for eu.home.com then EU admins can login, but not US admins.

If the default-realm is changed to us.home.com then US admins can login but not EU admins.

Is there a way to configure krb5.conf to allow admins from either AD subdomain to authenticate to a server?

If anyone has any information, please reply to this post! I appreciate your effort!

Regards,

Jim

Linjo · ‎04-27-2010

Some speculations here:

http://www.vreference.com/2010/01/20/esx-4-1-to-include-likewise-ad-authentication/

Best regards,

Linjo

If you find this information useful, please award points for "correct" or "helpful".

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".

schultejanj · ‎04-27-2010

Thanks for the quick reply. I briefly reviewed Likewise. I should have provided more background:

1. We don't want to bring in 3rd party products

2. We are on ESX 3.5 Update 5

Regards,

Jim

Texiwill · ‎05-03-2010

Hello,

Remember ESX/ESXi has no 'gpo' capability. So you need to use something like pam_access (part of ESX) or something like HyTrust for ESXi to limit access by location, time, etc.

Pam_access solves most if not all of these issues.

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

schultejanj · ‎05-03-2010

Thanks for the reply. I am using the pam module and I now have kinit working. Kinit works if I pass the fqdn name as the ID. For example "kinit useraccount@DEPTA.ORGA.COM. I give the password and it works. I can also, on the same ESX server, type in 'kinit useraccount@DEPTA.ORGA.com and that also gives me a ticket.

However, when I now want to login and I enter, as my account Login: useraccount@DEPTA.ORGA.COM, the server request credentials for:

useraccount@DEPTA.ORGA.COM@ESXHOSTNAME. So I now have two '@' in my login credentials. /var/log/messages of course states that this is an illegal user!

Any way I can get the login prompt to not append the '@ESXHOSTNAME'? I'm getting closer!

Texiwill · ‎05-19-2010