VMware Cloud Community
Stuarty1874
Contributor
Contributor
‎05-28-2008 06:47 AM
Jump to solution

Active Directory Passwords Expiring on ESX HOST

Folks, we've configured our ESX 3.0.1 hosts to authenticate against Active Directory which has been working successfully for some time. The Active Directory accounts are set not to expire.

The hosts are now showing the message below, but when we change the password on the host it doesn't sync with domain, or sync over to Active Directory.

You must change your password now and login again!

Changing password for user testacc1.

Current Kerberos 5 password:

Changing password for testacc1

(current) UNIX password:

We're left trying to logon again with the old password and the same message. We're going round in circles.

Any ideas?

0 Kudos
1 Solution

Accepted Solutions
sbeaver
Leadership
Leadership
‎05-28-2008 07:33 AM
Jump to solution

I have a different solution for you and have seen this and addressed this in my environment. When you add a user to ESX using the useradd command also issue this command

/usr/bin/chage -M 99999 username

This will keep the password from expiring on the ESX side

Steve Beaver

VMware Communities User Moderator

====

Co-Author of "VMware ESX Essentials in the Virtual Data Center"

Coming soon to a store near you!

*Virtualization is a journey, not a project.*

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**

View solution in original post

0 Kudos
7 Replies
lamw
Community Manager
Community Manager
‎05-28-2008 06:56 AM
Jump to solution

Can you paste your /etc/krb5.conf, we also auth against AD and if your password expires and requires a change, that should be done on a windows server on the AD domain. I've never seen this occur through the service console. I assume you used esxcfg-auth to configure your initial authentication with your domain controller?

0 Kudos
Texiwill
Leadership
Leadership
‎05-28-2008 07:12 AM
Jump to solution

Hello,

Sounds like your AD integration has issues.... Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for assistance. Note that to fully integrate so passwords work you need to have either winbind or secure ldap working. I know this works with winbind with no issues. However, the standard passwd command is NOT sufficient to change the password on the AD server , so you are really looking at a PAM change to make this work.

This is not really an ESX issue as much as it is a Linux issue as well. A good reference for this is the "Samba-3 By Example" book.

Generally however, if you do not have the proper linux tools installed you should change the pasword using any windows machine or the domain server.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354, As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
sbeaver
Leadership
Leadership
‎05-28-2008 07:33 AM
Jump to solution

I have a different solution for you and have seen this and addressed this in my environment. When you add a user to ESX using the useradd command also issue this command

/usr/bin/chage -M 99999 username

This will keep the password from expiring on the ESX side

Steve Beaver

VMware Communities User Moderator

====

Co-Author of "VMware ESX Essentials in the Virtual Data Center"

Coming soon to a store near you!

*Virtualization is a journey, not a project.*

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos
sbeaver
Leadership
Leadership
‎05-28-2008 07:36 AM
Jump to solution

Another note.... Did you add passwords when you created these accounts? Just in case you should not need the AD passwords on ESX

Steve Beaver

VMware Communities User Moderator

====

Co-Author of "VMware ESX Essentials in the Virtual Data Center"

Coming soon to a store near you!

*Virtualization is a journey, not a project.*

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos
Stuarty1874
Contributor
Contributor
‎05-30-2008 05:22 AM
Jump to solution

Below is the contents of my krb5.conf...

  1. Autogenerated by esxcfg-auth

pam = {

debug = false

forwardable = true

krb4_convert = false

renew_lifetime = 36000

ticket_lifetime = 36000

}

flhosp.net = FLHOSP.NET

example.com = EXAMPLE.COM

.example.com = EXAMPLE.COM

.domain.com= DOMAIN.COM

flhosp.net = FLHOSP.NET

domain.com = DOMAIN.COM

mydomain.myroot.net = MYDOMAIN.MYROOT.NET

profile = /var/kerberos/krb5kdc/kdc.conf

default_realm = MYDOMAIN.MYROOT.NET

ticket_lifetime = 24000

dns_lookup_realm = false

default_realm = DOMAIN.COM

dns_lookup_kdc = false

default = FILE:/var/log/krb5libs.log

admin_server = FILE:/var/log/kadmind.log

kdc = FILE:/var/log/krb5kdc.log

MYDOMAIN.MYROOT.NET = {

admin_server = mydomain.myroot.net:4749

default_domain = mydomain.myroot.net

kdc = dc1.mydomain.myroot.net:88

I also copy krb.conf during install....

  1. Autogenerated by esxcfg-auth

acl_file = /var/kerberos/krb5kdc/kadm5.acl

dict_file = /usr/share/dict/words

admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

v4_mode = nopreauth

I aslo copy krb5.realms during install...

  1. Autogenerated by esxcfg-auth

M01DOMAIN.MYROOT.NET = {

master_key_type = des-cbc-crc

supported_enctypes = des3-cbc-raw:normal des3-cbc-raw:norealm

des3-cbc-raw:onlyrealm des3-cbc-sha1:normal

des3-cbc-sha1:norealm des3-cbc-sha1:onlyrealm

des-cbc-crc:v4 des-cbc-crc:afs3

des-cbc-crc:normal des-cbc-crc:norealm

des-cbc-crc:onlyrealm des-cbc-md4:v4

des-cbc-md4:afs3 des-cbc-md4:normal

des-cbc-md4:norealm des-cbc-md4:onlyrealm

des-cbc-md5:v4 des-cbc-md5:afs3

des-cbc-md5:normal des-cbc-md5:norealm

des-cbc-md5:onlyrealm des-cbc-raw:v4

des-cbc-raw:afs3 des-cbc-raw:normal

des-cbc-raw:norealm des-cbc-raw:onlyrealm

des-cbc-sha1:v4 des-cbc-sha1:afs3

des-cbc-sha1:normal des-cbc-sha1:norealm

des-cbc-sha1:onlyrealm

The accounts are created during install by using the following. I don't set a password.

useradd -m

Any ideas? Do I need to copy the krb5.realms & krb.conf ?

0 Kudos
stumpr
Virtuoso
Virtuoso
‎05-30-2008 05:47 AM
Jump to solution

It sounds like you just enabled kerberos auth logins, you haven't done full AD integration with WinBind and pam. In other words, are you creating local accounts for each user? Without winbind you won't be able to honor the Windows password controls. You've probably just passed the local password expiration policy of your local accounts (which are still authenticating with AD Kerberos).

As some posters pointed out, you need to change the local password expiration default for new users. (Disable it for new users).

esxcfg-auth --passmaxdays=-1

However, this will not affect existing users IIRC. You'll have to update existing users as well I believe. (Disable it for existing user).

chage -M -1

Your other option is to "upgrade" your AD integration to full winbind integration as a few other posters indicated. The root and vpxuser account have no aging.

I'm guessing esxcfg-auth --passmaxdays may just edit /etc/login.defs (usual place where the password expiration default settings are kept). Have to take a look at it when I get a chance.

Reuben Stump | http://www.virtuin.com | @ReubenStump
korman
Contributor
Contributor
‎02-20-2009 05:12 PM
Jump to solution

I know this is an older thread but it seems like a good place for my question.

I run batch script on my vCenter servers which populates a text file with a list of users from an AD Group "ESX-Admins" . This script runs nightly and the file is created in a directory under a Windows file services for Unix NFS share, which is also on my vCenter. The share is then mounted to all my ESX hosts as /vmfs/volumes/depot and is used as a central repository for shared files scripts etc. I then run a bash script on the ESX hosts which deletes all the accounts on the ESX host excluding a handful of service accounts and then adds the users listed in the text file to the ESX host using useradd <username> . Users then authenticate using AD username and password.

Is there any security issue with never assigning a local password for a newly created user account using useradd <username> without using the option -p or later running the passwd command? The account seems to work without issue and does not allow a log in without the correct AD password. From what I have read it seems an account created with useradd is not actually enabled locally until a password is set?

0 Kudos