Re: Active directory authentication not working

prime · ‎10-10-2007

I'm unable to get active directory authentication to work in ESX Server 3.0.2. I followed the directions that I found in the VMware white paper. I ran:

esxcfg-auth --enablead --addomain=mydomain.com --addc=mydc.mydomain.com

I replaced my real domain with "mydomain". I can ping my DC from the service console. I can see that /etc/krb5.conf has changed to the following:

Autogenerated by esxcfg-auth

.mydomain.com = MYDOMAIN.COM

mydomain.com = MYDOMAIN.COM

default_realm = MYDOMAIN.COM

MYDOMAIN.COM = {

admin_server = mydc.mydomain.com:464

default_domain = mydomain.com

kdc = mydc.mydomain.com:88

}

I then created an account "useradd myuser"

Yet when I try to log in via ssh, the login fails. I see this in /var/log/messages:

Oct 10 17:33:14 rpbus115 sshd(pam_unix)[1437]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=myworkstation.mydomain.com user=myuser

Oct 10 17:33:15 rpbus115 sshd[1437]: pam_krb5: authenticate error: KRB5 error code 68 (-1765328316)

Oct 10 17:33:15 rpbus115 sshd[1437]: pam_krb5: authentication fails for `myuser'

Any ideas?

esiebert7625 · ‎10-10-2007

Here's a good article that has some good tips on setting this up...

ESX Server Integration with Active Directory - http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/

-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-

Thanks, Eric

Visit my website:

-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-

CiscoKid · ‎10-10-2007

Agreed, they have made significant changes with regards to AD integration to a single line of code that is executed that automatically opens appropriate firewall rules. Not like the ESX2 days when you need to edit files created directories/files only to have somewhat of an AD integration. The link that was sent was right on. :smileylaugh:

TomHowarth · ‎10-10-2007

Once again, awesome link and very timely, it has just saved me a significant amount of research. I wish I could award you some points for that one, but you've got enough already

If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points

Kind Regards

Tom,

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410

prime · ‎10-11-2007

Here's a good article that has some good tips on setting this up...
ESX Server Integration with Active Directory - http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/

Thanks, but that article doesn't saying anything different than the VMware document I used (http://www.vmware.com/vmtn/resources/582). All of the documents I have found about using active directory for authentication tell me to run "esxcfg-auth --enablead --addomain=example.com –addc=dc1.example.com" and then assume everything will work. Except for me it's not working as I can see in the logs.

fordian · ‎10-11-2007

stupid question but have you opened the firewall ports ?

Thank you

Dominic

prime · ‎10-11-2007

stupid question but have you opened the firewall ports ?

Hmm, that's a good question. I haven't explicitly opened any ports; however when I run esxcfg-firewall -q I see activeDirectorKerberos listed in "Enabled Services" list at the bottom. I do see this item enabled in the VI Client security profile page. It claims that outgoing ports 464 and 88 are enabled. Here's the output from esxcfg-firewall -q in case it helps:

Chain INPUT (policy DROP 10001 packets, 721K bytes)

pkts bytes target prot opt in out source destination

7260 2538K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

16003 2107K valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0.0/0

16117 2110K valid-source-address !udp -- * * 0.0.0.0/0 0.0.0.0/0

4103 485K valid-source-address-udp udp -- * * 0.0.0.0/0 0.0.0.0/0

6671 293K valid-source-address tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02

6 408 icmp-in icmp -- * * 0.0.0.0/0 0.0.0.0/0

9430 1821K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW

296 17704 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW

261 15100 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW

36 11392 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:427

1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:427 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5989 state NEW

174 6960 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2050:5000 state NEW

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:2050:5000 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:8042:8045 state NEW

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:8042:8045 state NEW

10 580 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5988 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

7260 2538K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

11783 8409K valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0.0/0

6 408 icmp-out icmp -- * * 0.0.0.0/0 0.0.0.0/0

12 864 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53

11861 8415K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:427

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:427 state NEW

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:902 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:2050:5000 state NEW

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:2050:5000 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:8042:8045 state NEW

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:8042:8045 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:464 state NEW

4 240 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27000 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27010 state NEW

46 4108 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain icmp-in (1 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0

6 408 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain icmp-out (1 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

6 408 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain log-and-drop (7 references)

pkts bytes target prot opt in out source destination

0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain valid-source-address (2 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 127.0.0.1 0.0.0.0/0

0 0 DROP all -- * * 0.0.0.0/8 0.0.0.0/0

0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255

Chain valid-source-address-udp (1 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 127.0.0.1 0.0.0.0/0

4 1390 DROP all -- * * 0.0.0.0/8 0.0.0.0/0

Chain valid-tcp-flags (2 references)

pkts bytes target prot opt in out source destination

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05

Incoming and outgoing ports blocked by default.

Enabled services: CIMSLP CIMHttpsServer vpxHeartbeats AAMClient activeDirectorKerberos LicenseClient sshServer CIMHttpServer

Opened ports:

Sorry about the formatting. I don't know how to make this use a monospaced font.

fordian · ‎10-11-2007

try this one => esxcfg-firewall -e kerberos

Thank you

prime · ‎10-11-2007

try this one => esxcfg-firewall -e kerberos

That looks like it opened another port but I still can't log in. When logging with my test user I still get this in /var/log/messages:

sshd[1869]: pam_krb5: authenticate error: KRB5 error code 68 (-1765328316)

Do you know what error code 68 is? From my google searches, it seems to be an undocumented error.

fordian · ‎10-11-2007

error code 68 is related to your kdc "KDC_ERR_WRONG"

Try to specified a dc in your command :

esxcfg-auth --disablead

esxcfg-auth --enablead --addomain=mydomain.com --addc=dc.mydomain.com

this one open port 88 (kerberos) and 464 (kpasswd)

If is does not work then try this :

esxcfg-auth --disablead

esxcfg-auth --enablekrb5 --krb5realm=mydomain.com --krb5kdc=kdc.mydomain.com --krb5adminserver=mydomain.com

this one port 88 (kerberos) and 749 (kerberos-adm)

both for me works

Thank you

Dominic