VMware Cloud Community
grex827
Contributor
Contributor
Jump to solution

Adding users to the ESX server

I am curious about the proper way to add users to the ESx console. Not VC permissions, but the console itself. The client is requesting access, and read-oonly access has been agreed upon, but I am unsure of which groups provide what sort of access. I am a Windows SA, not Linux, so I am a little unclear on what group if any, are read-only, or very close to it.

I want to add them through VC, not command line, but I want to make sure that the client has restricted access.

Does anyone know which group would be appropriate to add then to? Perhaps I will need to create a new group. If that is the case, how to I set the privleges on that group?

This is ESX 3.0.1, VI 2.0.1.

Thanks in advance for any help.

Reply
0 Kudos
1 Solution

Accepted Solutions
bflynn0
Expert
Expert
Jump to solution

By default accounts only have user (or read-only) access. So just make sure you don't add the user to any additional groups when you're creating it.

View solution in original post

Reply
0 Kudos
13 Replies
bflynn0
Expert
Expert
Jump to solution

Use the VI Client to connect to the ESX server.

Select the Server in the left pane, and then click on the Users & Groups tab in the right pane.

Create User:[/b]

Click on the Users button

Right Click and Select Add

Specify the desired User Name, Password, etc and Click OK

Create a Local Group[/b]

Click on the Groups button

Right click and select Add

Enter the group name you want and enter the User Name you created above in the User Name field and click Add

Click OK to create the group

Assign Permissions[/b]

Click on the Permissions Tab

Right Click and Select Add Permission

Click on the Add button and select the Group you created above and click on the Add button.

Click on the OK button.

Make sure the Assigned Role is set to Read-Only and click OK.

grex827
Contributor
Contributor
Jump to solution

OK, that helped. Now when I try to login to the console, with that userid, I get this:

login as: aauser

aauser@xx.xx.xx.xx's password:

Last login: Thu Sep 6 06:13:45 2007 from xx.xx.xx.xx

Could not chdir to home directory /home/aauser: Permission denied

-bash: /home/aauser/.bash_profile: Permission denied

-bash-2.05b$

Any ideas? we use putty to access the service console.

Reply
0 Kudos
dkfbp
Expert
Expert
Jump to solution

I would create the user from the service console.

The command is: #useradd username

The user will only have write permission in his own home directory. He can read configuration files. But I guess that is ok.

Best regards Frank Brix Pedersen blog: http://www.vfrank.org
Reply
0 Kudos
reorx
Enthusiast
Enthusiast
Jump to solution

This looks like an Unix account set-up issue. It does look like the person logging in ends up at a bash shell. How did you create the account? If you used the proper flags and values with useradd you should be fine. It looks like the home directory is set-up wrong. Like maybe it is not executable or owned by the userid logging in. Hope this helps. --Jennifer

Reply
0 Kudos
bflynn0
Expert
Expert
Jump to solution

Using the root account you can run

chown aauser /home/aauser -R

chmod 755 /home/aauser -R[/code] to reassign the owner and the permissions of the directory and all files to the aauser User Account.

I have an additional question though, what is the Read-Only user looking to do? Not much sense in connecting to the actual Service Console over ssh as a normal user. They'll be able to look at certain config files, but won't be able to run utilities like esxcfg-firewall, esxcfg-vswitch, etc even with the -q or -l flags to list out the current configuration. The steps I gave you will allow the read-only account to connect to the ESX host using the VI client and look but not change anything (as well as look at Performance Charts, etc) - which is what I would think they'd want to do.

Message was edited by:

bflynn0 - added chmod line as well

Reply
0 Kudos
grex827
Contributor
Contributor
Jump to solution

Thanks guys. Logging in as root and doing the chmod entries worked. Much appreciated.

The user pleading for access, really should not have access at all. we prohibit client access to our servers. However, some concessions were made at a level well above mine, and read-only access was deemed acceptable. Since our company security team has not yet taken all of teh ESX boxes under it wing, it is up to me to control VC and ESX access. In any event, I really don;t care if the client is able to do what they want, i am just doing as told.

I do have one more quick question...do I basicaly follow the same process for ESx 2.5.3 servers, except using the MUI?

I went into the MUI, added the user, and the group, and added the user to rthe group, set the home directory for the usre to /home, but I don;t see an option to set read-only. The directory structure is a little different on 2.5.3, so /home/aauser is not valid.

Message was edited by:

grex827

Reply
0 Kudos
bflynn0
Expert
Expert
Jump to solution

Under ESX 2.5.x you can create the user in Users & Groups under the Options section.

If you want to create a user via command line you can do:

Create a Local Group[/b]

groupadd GroupName[/i]

Create a User[/b]

useradd -c "Full Name"[/i] -G List of Groups[/i] -m Account Name[/i]

passwd Account Name[/i]

grex827
Contributor
Contributor
Jump to solution

How do you assign permissions? I'd rather do it through the MUi if possible, but I need to make sure it is a read-only account

Reply
0 Kudos
bflynn0
Expert
Expert
Jump to solution

By default accounts only have user (or read-only) access. So just make sure you don't add the user to any additional groups when you're creating it.

Reply
0 Kudos
RParker
Immortal
Immortal
Jump to solution

If you add the VI console server to the domain, you can add the groups from that domain to the VI session.

Then whatever members of the group are allowed access can simply login to VI. That's the easiest way, and you don't have to give specific access, just make them ALL VM users with limited rights.

You can add permissions later for users, but that would be the easiest way to get you started.

Reply
0 Kudos
grex827
Contributor
Contributor
Jump to solution

Well thats true for VI permissions. Ineed actual console permissions to be set.

Reply
0 Kudos
grex827
Contributor
Contributor
Jump to solution

Thanks bflynn0, you have been a tremdous help to me. I will mark your suggestions helpful, and finally correct. I really appreciate it.

Reply
0 Kudos
IRQ2006
Enthusiast
Enthusiast
Jump to solution

Does ESX 2.5 provide the Read Only access to manage VM instances via the MUI, I have a requirement to provide a read only access to VMs on the MUI, i.e. restrict a user from managing the VM to do power off, restart, suspend etc... is there any specific group the user need to be added to or ESX 2.5 does provide this level of access ?

I added a user without adding it to any group, I see the Options tab in the MUI is not accessable to this user however, I still see all the options on the menu to power off, restart guest, suspend ..etc still highlighted ....

Thanks

Reply
0 Kudos