VMware Cloud Community
Hernan_Gutmer
Contributor
Contributor
‎11-24-2008 03:18 PM
Jump to solution

Restrict login / Give root credentials with AD Implemented

Hi all! 😃

I´ve recently implemented full AD integration with Samba in my ESX 3.5.

All AD users can loguin to my Esx hosts as read-only.

Can i disable login to a group of valid AD users ? Similar to a logon localy on windows box.

Can i give root rights to a special AD Group of users without using su- ?So for example, i login with my user and i have same credentials as root.

Thank you very much for your help!!!

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
‎11-25-2008 06:36 AM
Jump to solution

Hello,

Moved to the Security and Compliance forum.

All AD users can loguin to my Esx hosts as read-only

Not good. It is not really read-only, but they can write to various places still.

Can i disable login to a group of valid AD users ? Similar to a logon localy on windows box.

Check out the pam_access section of http://www.astroarch.com/wiki/index.php/Full_Integration_of_Active_Directory for assistance with this. You can add pam_access to deny access to the ESX host by anyone who is NOT in a specific group, by user, or even by ip address and time of login. Its pretty powerful stuff. Also check out 'man pam_access'

Can i give root rights to a special AD Group of users without using su- ?So for example, i login with my user and i have same credentials as root.

Yes, BUT you do not want to do this. Absolutely do not want to do this as you lose the ability to audit and the ability to use AD in some ways. It is best to instead enable 'sudo' so that you can maintain logging of all commands issued by all administrators. You will then know who did what when. Check out 'man sudo' and 'man sudoers' for assistance with this. You can use sudo to limit which commands an administrator can run or not.

Remember you do not want AD to handle any account with UID 0, once you do that you no longer use AD but local accounts. The reason for this is that if you have AD handling accounts with UID 0 you lose the 'local administrator' account you may need if your AD server dies or the network is unreachable.

You also want only one super user else you increase the risk of a break-in.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
2 Replies
billhill
Enthusiast
Enthusiast
‎11-24-2008 03:49 PM
Jump to solution

Well... seeing as you have the integration piece configured between the Host and Samba/AD... I would imagine you should be able to get that setup.

If you are using the VI Client to manage your ESX hosts, you should be able to define a new role (via the Administration button) and the Roles tab. Once the appropriate role exists (either pre-defined or custom made), you can apply the role to single users or a group of users via the permissions tab (via the Inventory button). The default roles are: Administrator, Read-Only, No Access.

The role can be applied at the "Hosts & Clusters" level, the DataCenter level, Resource Group level and the VM level. The level in the heirarchy the role is applied affects how it is propegated, it at all.

When applying the role, you will specify users and/or groups from the OS to link to the role. So, at this point, you should be able to add the user name the user authenticates with. The list that VC provides appears to be from the host:/etc/passwd file. So, you may not be able to select them from the list. But, try manually entering the usernames in the Users: or Groups: section.

I will admit that we do not have Samba authentication configured as we are running Virtual Center, which has AD Authentication inherently. However, the principles should be the same.

Good Luck!

Reply
0 Kudos
Texiwill
Leadership
Leadership
‎11-25-2008 06:36 AM
Jump to solution

Hello,

Moved to the Security and Compliance forum.

All AD users can loguin to my Esx hosts as read-only

Not good. It is not really read-only, but they can write to various places still.

Can i disable login to a group of valid AD users ? Similar to a logon localy on windows box.

Check out the pam_access section of http://www.astroarch.com/wiki/index.php/Full_Integration_of_Active_Directory for assistance with this. You can add pam_access to deny access to the ESX host by anyone who is NOT in a specific group, by user, or even by ip address and time of login. Its pretty powerful stuff. Also check out 'man pam_access'

Can i give root rights to a special AD Group of users without using su- ?So for example, i login with my user and i have same credentials as root.

Yes, BUT you do not want to do this. Absolutely do not want to do this as you lose the ability to audit and the ability to use AD in some ways. It is best to instead enable 'sudo' so that you can maintain logging of all commands issued by all administrators. You will then know who did what when. Check out 'man sudo' and 'man sudoers' for assistance with this. You can use sudo to limit which commands an administrator can run or not.

Remember you do not want AD to handle any account with UID 0, once you do that you no longer use AD but local accounts. The reason for this is that if you have AD handling accounts with UID 0 you lose the 'local administrator' account you may need if your AD server dies or the network is unreachable.

You also want only one super user else you increase the risk of a break-in.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos