Hi,
I use the command
esxcfg-auth --enablead --addomain=mydomain.local --addc=mypdc.mydomain.local
for syncronize the user name with Active Directory domain. I have also created the user in the service console but when i tried to log on into esx service console i receive the following error.
pam_krb5: authenticate error: Cannot read password (-1765328254)
pam_krb5: authentication fails for `admep'
(pam_unix)[5224]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pippo user=pluto
sshd[5224]: Failed password for pluto from 10.10.10.10 port 51218 ssh2
Obviosuly Active Directory is up, the network is up, the server is up. The resolution is correct.
Someone has some idea?
Thanks.
Check your time. Your time on your esxhost has to be within 5 minutes of the ad, else the kerberos auth will fail.
-KjB
Did you open up your firewall on the host?
esxcfg-firewall --openPort 88,tcp,out,KerberosClient
esxcfg-firewall --openPort 464,tcp,out,KerberosPasswordChange
Hello,
Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for 2 AD integration techniques including full steps necessary to get things going.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
To enable active directory authentication on ESX servers you need to do the following...
1. Login to the ESX server as root. You may have to do this at the console, as the default configuration of SSH will deny access to the root user.
2. Run the following command, placing your own domain controller server name and domain name in the appropriate places.
/usr/sbin/esxcfg-auth --enablead --addomain=yourdomain.tld --addc=dc1.yourdomain.tld --krb5realm=yourdomain.tld --krb5kdc=dc1.yourdomain.tld --krb5adminserver=dc1.yourdomain.tld --krb5enable
3. Add a user from active directory that will be allowed to login to the ESX server.
/usr/sbin/useradd john.doe
NOTES:
Repeat steps 1 to 3 for each ESX server you have. Once this is complete at least the passwords will not have to be kept being updated, AD will manage that.
Repeat step 3 for each user you want to be able to login, not all users will be allowed to login, you have to specify which.
If you have more than one domain controller you can specify the "--addc=" option again when you run esxcfg-auth for redundancy.
Tested working on ESX 3.5 using active directory 2003. (Let me know if you have this working on anything else).
:smileygrin:
