Folks, we've configured our ESX 3.0.1 hosts to authenticate against Active Directory which has been working successfully for some time. The Active Directory accounts are set not to expire.
The hosts are now showing the message below, but when we change the password on the host it doesn't sync with domain, or sync over to Active Directory.
You must change your password now and login again!
Changing password for user testacc1.
Current Kerberos 5 password:
Changing password for testacc1
(current) UNIX password:
We're left trying to logon again with the old password and the same message. We're going round in circles.
Any ideas?
I have a different solution for you and have seen this and addressed this in my environment. When you add a user to ESX using the useradd command also issue this command
/usr/bin/chage -M 99999 username
This will keep the password from expiring on the ESX side
Steve Beaver
VMware Communities User Moderator
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
Coming soon to a store near you!
*Virtualization is a journey, not a project.*
Can you paste your /etc/krb5.conf, we also auth against AD and if your password expires and requires a change, that should be done on a windows server on the AD domain. I've never seen this occur through the service console. I assume you used esxcfg-auth to configure your initial authentication with your domain controller?
Hello,
Sounds like your AD integration has issues.... Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for assistance. Note that to fully integrate so passwords work you need to have either winbind or secure ldap working. I know this works with winbind with no issues. However, the standard passwd command is NOT sufficient to change the password on the AD server , so you are really looking at a PAM change to make this work.
This is not really an ESX issue as much as it is a Linux issue as well. A good reference for this is the "Samba-3 By Example" book.
Generally however, if you do not have the proper linux tools installed you should change the pasword using any windows machine or the domain server.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
I have a different solution for you and have seen this and addressed this in my environment. When you add a user to ESX using the useradd command also issue this command
/usr/bin/chage -M 99999 username
This will keep the password from expiring on the ESX side
Steve Beaver
VMware Communities User Moderator
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
Coming soon to a store near you!
*Virtualization is a journey, not a project.*
Another note.... Did you add passwords when you created these accounts? Just in case you should not need the AD passwords on ESX
Steve Beaver
VMware Communities User Moderator
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
Coming soon to a store near you!
*Virtualization is a journey, not a project.*
Below is the contents of my krb5.conf...
Autogenerated by esxcfg-auth
pam = {
debug = false
forwardable = true
krb4_convert = false
renew_lifetime = 36000
ticket_lifetime = 36000
}
flhosp.net = FLHOSP.NET
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
.domain.com= DOMAIN.COM
flhosp.net = FLHOSP.NET
domain.com = DOMAIN.COM
mydomain.myroot.net = MYDOMAIN.MYROOT.NET
profile = /var/kerberos/krb5kdc/kdc.conf
default_realm = MYDOMAIN.MYROOT.NET
ticket_lifetime = 24000
dns_lookup_realm = false
default_realm = DOMAIN.COM
dns_lookup_kdc = false
default = FILE:/var/log/krb5libs.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
MYDOMAIN.MYROOT.NET = {
admin_server = mydomain.myroot.net:4749
default_domain = mydomain.myroot.net
kdc = dc1.mydomain.myroot.net:88
I also copy krb.conf during install....
Autogenerated by esxcfg-auth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
v4_mode = nopreauth
I aslo copy krb5.realms during install...
Autogenerated by esxcfg-auth
M01DOMAIN.MYROOT.NET = {
master_key_type = des-cbc-crc
supported_enctypes = des3-cbc-raw:normal des3-cbc-raw:norealm
des3-cbc-raw:onlyrealm des3-cbc-sha1:normal
des3-cbc-sha1:norealm des3-cbc-sha1:onlyrealm
des-cbc-crc:v4 des-cbc-crc:afs3
des-cbc-crc:normal des-cbc-crc:norealm
des-cbc-crc:onlyrealm des-cbc-md4:v4
des-cbc-md4:afs3 des-cbc-md4:normal
des-cbc-md4:norealm des-cbc-md4:onlyrealm
des-cbc-md5:v4 des-cbc-md5:afs3
des-cbc-md5:normal des-cbc-md5:norealm
des-cbc-md5:onlyrealm des-cbc-raw:v4
des-cbc-raw:afs3 des-cbc-raw:normal
des-cbc-raw:norealm des-cbc-raw:onlyrealm
des-cbc-sha1:v4 des-cbc-sha1:afs3
des-cbc-sha1:normal des-cbc-sha1:norealm
des-cbc-sha1:onlyrealm
The accounts are created during install by using the following. I don't set a password.
Any ideas? Do I need to copy the krb5.realms & krb.conf ?
It sounds like you just enabled kerberos auth logins, you haven't done full AD integration with WinBind and pam. In other words, are you creating local accounts for each user? Without winbind you won't be able to honor the Windows password controls. You've probably just passed the local password expiration policy of your local accounts (which are still authenticating with AD Kerberos).
As some posters pointed out, you need to change the local password expiration default for new users. (Disable it for new users).
esxcfg-auth --passmaxdays=-1
However, this will not affect existing users IIRC. You'll have to update existing users as well I believe. (Disable it for existing user).
chage -M -1
Your other option is to "upgrade" your AD integration to full winbind integration as a few other posters indicated. The root and vpxuser account have no aging.
I'm guessing esxcfg-auth --passmaxdays may just edit /etc/login.defs (usual place where the password expiration default settings are kept). Have to take a look at it when I get a chance.
I know this is an older thread but it seems like a good place for my question.
I run batch script on my vCenter servers which populates a text file with a list of users from an AD Group "ESX-Admins" . This script runs nightly and the file is created in a directory under a Windows file services for Unix NFS share, which is also on my vCenter. The share is then mounted to all my ESX hosts as /vmfs/volumes/depot and is used as a central repository for shared files scripts etc. I then run a bash script on the ESX hosts which deletes all the accounts on the ESX host excluding a handful of service accounts and then adds the users listed in the text file to the ESX host using useradd <username> . Users then authenticate using AD username and password.
Is there any security issue with never assigning a local password for a newly created user account using useradd <username> without using the option -p or later running the passwd command? The account seems to work without issue and does not allow a log in without the correct AD password. From what I have read it seems an account created with useradd is not actually enabled locally until a password is set?