I'm unable to get active directory authentication to work in ESX Server 3.0.2. I followed the directions that I found in the VMware white paper. I ran:
esxcfg-auth --enablead --addomain=mydomain.com --addc=mydc.mydomain.com
I replaced my real domain with "mydomain". I can ping my DC from the service console. I can see that /etc/krb5.conf has changed to the following:
Autogenerated by esxcfg-auth
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
default_realm = MYDOMAIN.COM
MYDOMAIN.COM = {
admin_server = mydc.mydomain.com:464
default_domain = mydomain.com
kdc = mydc.mydomain.com:88
}
I then created an account "useradd myuser"
Yet when I try to log in via ssh, the login fails. I see this in /var/log/messages:
Oct 10 17:33:14 rpbus115 sshd(pam_unix)[1437]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=myworkstation.mydomain.com user=myuser
Oct 10 17:33:15 rpbus115 sshd[1437]: pam_krb5: authenticate error: KRB5 error code 68 (-1765328316)
Oct 10 17:33:15 rpbus115 sshd[1437]: pam_krb5: authentication fails for `myuser'
Any ideas?
Here's a good article that has some good tips on setting this up...
ESX Server Integration with Active Directory - http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Thanks, Eric
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
Agreed, they have made significant changes with regards to AD integration to a single line of code that is executed that automatically opens appropriate firewall rules. Not like the ESX2 days when you need to edit files created directories/files only to have somewhat of an AD integration. The link that was sent was right on. :smileylaugh:
Once again, awesome link and very timely, it has just saved me a significant amount of research. I wish I could award you some points for that one, but you've got enough already
If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points
Kind Regards
Tom,
Here's a good article that has some good tips on setting this up...
ESX Server Integration with Active Directory - http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/
Thanks, but that article doesn't saying anything different than the VMware document I used (http://www.vmware.com/vmtn/resources/582). All of the documents I have found about using active directory for authentication tell me to run "esxcfg-auth --enablead --addomain=example.com –addc=dc1.example.com" and then assume everything will work. Except for me it's not working as I can see in the logs.
stupid question but have you opened the firewall ports ?
Thank you
Dominic
stupid question but have you opened the firewall ports ?
Hmm, that's a good question. I haven't explicitly opened any ports; however when I run esxcfg-firewall -q I see activeDirectorKerberos listed in "Enabled Services" list at the bottom. I do see this item enabled in the VI Client security profile page. It claims that outgoing ports 464 and 88 are enabled. Here's the output from esxcfg-firewall -q in case it helps:
Chain INPUT (policy DROP 10001 packets, 721K bytes)
pkts bytes target prot opt in out source destination
7260 2538K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
16003 2107K valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0.0/0
16117 2110K valid-source-address !udp -- * * 0.0.0.0/0 0.0.0.0/0
4103 485K valid-source-address-udp udp -- * * 0.0.0.0/0 0.0.0.0/0
6671 293K valid-source-address tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
6 408 icmp-in icmp -- * * 0.0.0.0/0 0.0.0.0/0
9430 1821K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW
296 17704 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
261 15100 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
36 11392 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:427
1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:427 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5989 state NEW
174 6960 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2050:5000 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:2050:5000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:8042:8045 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:8042:8045 state NEW
10 580 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5988 state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7260 2538K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
11783 8409K valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0.0/0
6 408 icmp-out icmp -- * * 0.0.0.0/0 0.0.0.0/0
12 864 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
11861 8415K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:427
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:427 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:902 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2050:5000 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:2050:5000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:8042:8045 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:8042:8045 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:464 state NEW
4 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27010 state NEW
46 4108 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain icmp-in (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
6 408 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp-out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
6 408 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain log-and-drop (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain valid-source-address (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255
Chain valid-source-address-udp (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 127.0.0.1 0.0.0.0/0
4 1390 DROP all -- * * 0.0.0.0/8 0.0.0.0/0
Chain valid-tcp-flags (2 references)
pkts bytes target prot opt in out source destination
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
Incoming and outgoing ports blocked by default.
Enabled services: CIMSLP CIMHttpsServer vpxHeartbeats AAMClient activeDirectorKerberos LicenseClient sshServer CIMHttpServer
Opened ports:
Sorry about the formatting. I don't know how to make this use a monospaced font.
try this one => esxcfg-firewall -e kerberos
Thank you
try this one => esxcfg-firewall -e kerberos
That looks like it opened another port but I still can't log in. When logging with my test user I still get this in /var/log/messages:
sshd[1869]: pam_krb5: authenticate error: KRB5 error code 68 (-1765328316)
Do you know what error code 68 is? From my google searches, it seems to be an undocumented error.
error code 68 is related to your kdc "KDC_ERR_WRONG"
Try to specified a dc in your command :
esxcfg-auth --disablead
esxcfg-auth --enablead --addomain=mydomain.com --addc=dc.mydomain.com
this one open port 88 (kerberos) and 464 (kpasswd)
If is does not work then try this :
esxcfg-auth --disablead
esxcfg-auth --enablekrb5 --krb5realm=mydomain.com --krb5kdc=kdc.mydomain.com --krb5adminserver=mydomain.com
this one port 88 (kerberos) and 749 (kerberos-adm)
both for me works
Thank you
Dominic