I followed the procedures for setting up AD to be used when logging on to the console.
Then run:
\# esxcfg-auth --enablead --addomain=domain.com --addc=domain.com
I verified that the fireall ports were opened on the console and that the DC could be pinged. There are no firewalls between my host and the DC.
I then created a user that was already in active directory.
useradd username
When I ssh I get access denied. Did I need to add the user to any special groups?
Thanks
Do you have some remote DC servers which are behind firewalls? When using the domain name in the --addc option then also some remote DCs will be contacted.
What does /var/log/messages say? Look out for "Clock skew too great" what means that you need to sync your clock. Kerberos needs proper time synchronisation.
http://www.vmware.com/pdf/esx3_esxcfg_auth_tn.pdf
Message was edited by:
bister
Do you have some remote DC servers which are behind firewalls? When using the domain name in the --addc option then also some remote DCs will be contacted.
What does /var/log/messages say? Look out for "Clock skew too great" what means that you need to sync your clock. Kerberos needs proper time synchronisation.
http://www.vmware.com/pdf/esx3_esxcfg_auth_tn.pdf
Message was edited by:
bister
You still need to create a local user account on the ESX host.
ie. /usr/sbin/useradd jsmith
then the command should be:
esxcfg-auth --enablead --addomain domain.com --addc dc1.domain.com --krb5realm domain.com --krb5kdc dc1.domain.com --krb5adminserver dc1.comain.com
I use
esxcfg-auth --enablead --addomain domain.com --addc domain.com
useradd domainuser
that works.
Not to forget configuring NTPD properly.
Not to forget configuring NTPD properly.
I think that gets lost in the shuffle more times than not.. proper time keeping for both the ESX hosts and guests is important in an Active Directory environment, as Kerberos has a +/- 5 minute leeway in time between the DC and the system trying to authenticate...
Correct.
I done what you did bryanwmann and I couldn't get it to work. I made sure that my time was being synced from the same source as the domain controllers, and it still will not work for me.
You do not need to do that and it is better to specify the domain and not a specific DC
As a side note: Because ESX is not site aware as Windows server are and if you have DC in different locations which are protected by firewalls it's possible that you receive the IP address of a DC behind a firewall when trying to use --addc=domain.com. We solved this by manually creating a DNS entry for the site with all DC of that site: site-dc.domain.com resp. --addc=site-dc.domain.com ... Now we got ESX sort of site aware
If my testing for stuff that I have done... I had ESX setup to look for the domain and then DNS would return the closest DC for ESX to authenticate to
Are you using MS-DNS? How did you configure this?
Yes I am using MS DNS and really did not do anything at all to make it work. Set up this way any time I ping the domain name I get a reply from a DC is the same site as the ESX server
Lucky you
I'll push my DNS-guys to check that...
Regards,
Christian
You would have to have the special SRV resource records in your DNS that domain controllers create for themselves for what Steve is describing to work. These records are in the _msdcs, _sites, _tcp and _udp folders in DNS and include _kerberos, _ldap, _gc & _kpasswd entries. These records are what member workstations use to find out where domain controllers are located. DC's automatically create them when the Netlogon server starts if they do not already exist.
http://www.petri.co.il/active_directory_srv_records.htm
Also if you do not have them in your DNS you can specify multiple domain controllers for ESX to use. Use the --addc switch multiple times to add more domain controllers to the list.
Time looks good, it was one of the first things I set up correctly before installing any VMs. What I get is
Cannot resolve network address for KDC in requested realm (-1765328164)
So is it DNS or Kerberos? I can ping all DCs.
Oh, I got it working and I am prepared for the thrashing....I had a typo in the domain name. I disabled and re-enabled and TA-DA it works.....
Rule 1-check logs
Rule 2- check typing.....:)
DOH!!!!! I hate it when that happens
Quick question to clearify: You have multiple sites definded and the PAM module gets only responses from the DCs in its site? I ask because our DNS is configured by default and all the SRV records are creaetd and present and when connecting to ESX by SSH it receives responses from DCs in other sites.
You can use Veeam RootAccess, a free tool by Veeam. Veeam RootAccess Wizard helps you to automatically enable or disable remote root access, or create a regular non-root user account.
You can find more info and free download here: http://www.vmweekly.com/ask_an_expert/i_am_unable_to_login_to_esx_server_with_root_or_a_root_like_id...
Jeff
I am not working for but associated with Veeam Software