VMware Cloud Community
bryanwmann
Enthusiast
Enthusiast
Jump to solution

AD authentication and SSH access

I followed the procedures for setting up AD to be used when logging on to the console.

Then run:

\# esxcfg-auth --enablead --addomain=domain.com --addc=domain.com

I verified that the fireall ports were opened on the console and that the DC could be pinged. There are no firewalls between my host and the DC.

I then created a user that was already in active directory.

useradd username

When I ssh I get access denied. Did I need to add the user to any special groups?

Thanks

Reply
0 Kudos
26 Replies
sbeaver
Leadership
Leadership
Jump to solution

That might indicate a sites and services issues. From ESX if you ping domain.com a DC in that site should respond

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
Reply
0 Kudos
esiebert7625
Immortal
Immortal
Jump to solution

Typically the way you control that is by changing the priority and weight of DNS SRV records.

http://technet2.microsoft.com/WindowsServer/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx...

Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

Anyone ever used the AllowGroup in the /etc/ssh/sshd_config

when ESX is using AD for authentication? Will it allow the AD Groups to be

specified without adding them to the /etc/group file? If not, how much info needs to be in the group file? In other words, do all members of the AD group need to be listed in the /etc/group file?

Reply
0 Kudos
sbeaver
Leadership
Leadership
Jump to solution

You will need to get winbind set up to be able to do that

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
Reply
0 Kudos
admin
Immortal
Immortal
Jump to solution

Student has AD already configured on the ESX server. They want to use the existing admin group defined in AD and give them access to ssh. Found documentation that says user account must be added to ESX SC for AD users to have login access. Can't find any info about using groups, but sshd_config does have the AllowGroup option.

Reply
0 Kudos
sbeaver
Leadership
Leadership
Jump to solution

I wrote a script that can take care of that. PM me with your email

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
Reply
0 Kudos
Coldfire78
Contributor
Contributor
Jump to solution

sbeaver could you send me that script? I also want to enable access based on AD on our ESX environment on a group basis.

really appreciated!

Reply
0 Kudos