VMware Cloud Community
Christian76
Contributor
Contributor

Active Directory authentication

Hi,

I use the command

esxcfg-auth --enablead --addomain=mydomain.local --addc=mypdc.mydomain.local

for syncronize the user name with Active Directory domain. I have also created the user in the service console but when i tried to log on into esx service console i receive the following error.

pam_krb5: authenticate error: Cannot read password (-1765328254)

pam_krb5: authentication fails for `admep'

(pam_unix)[5224]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pippo user=pluto

sshd[5224]: Failed password for pluto from 10.10.10.10 port 51218 ssh2

Obviosuly Active Directory is up, the network is up, the server is up. The resolution is correct.

Someone has some idea?

Thanks.

Reply
0 Kudos
4 Replies
kjb007
Immortal
Immortal

Check your time. Your time on your esxhost has to be within 5 minutes of the ad, else the kerberos auth will fail.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
jayolsen
Expert
Expert

Did you open up your firewall on the host?

esxcfg-firewall --openPort 88,tcp,out,KerberosClient

esxcfg-firewall --openPort 464,tcp,out,KerberosPasswordChange

Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for 2 AD integration techniques including full steps necessary to get things going.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
atbnet
Expert
Expert

To enable active directory authentication on ESX servers you need to do the following...

1. Login to the ESX server as root. You may have to do this at the console, as the default configuration of SSH will deny access to the root user.

2. Run the following command, placing your own domain controller server name and domain name in the appropriate places.

/usr/sbin/esxcfg-auth --enablead --addomain=yourdomain.tld --addc=dc1.yourdomain.tld --krb5realm=yourdomain.tld --krb5kdc=dc1.yourdomain.tld --krb5adminserver=dc1.yourdomain.tld --krb5enable

3. Add a user from active directory that will be allowed to login to the ESX server.

/usr/sbin/useradd john.doe

NOTES:

Repeat steps 1 to 3 for each ESX server you have. Once this is complete at least the passwords will not have to be kept being updated, AD will manage that.

Repeat step 3 for each user you want to be able to login, not all users will be allowed to login, you have to specify which.

If you have more than one domain controller you can specify the "--addc=" option again when you run esxcfg-auth for redundancy.

Tested working on ESX 3.5 using active directory 2003. (Let me know if you have this working on anything else).

:smileygrin:

Andy, VCP,

Andy Barnes
VCP / VCA-DT / MCITP:EA / CCIA
Help, Guides and How Tos... www.VMadmin.co.uk

If you found this information useful please award points using the buttons at the top of the page accordingly.
Reply
0 Kudos