Solved: Re: Bulk insert user account on ESX

benutzername · ‎01-19-2009

Hi,

sometimes I have to add some new user on lots of ESX Server. I would like to create a command, so that I must only copy&paste the comman into my SSH session on each ESX host. I used the following command:

useradd -u 621 -G root -p PASSWORD -d /home/USER -s /bin/bash-c USERNAME USER

The problem is that the Password does not work. When I check the gui, the user is createtd. The user has shell access. Only when I change the password, I will be able to log on.

I guess the problem is that the useradd command inteprets the password as an encryptet password. So I think I have to provide the crypted passwort instead of the clear text password.

The question is how to automate it? Anybody has a script to do so?

Lightbulb · ‎01-20-2009

Sorry you must also update /etc/gshadow

Or better use the following command for each user

gpasswd -a user1 wheel

View solution in original post

Lightbulb · ‎01-19-2009

You could try the newusers command

http://kbase.redhat.com/faq/docs/DOC-7133

Texiwill · ‎01-19-2009

Hello

Why not use some centralized mechanism like AD, NIS+, LDAP-S? Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for some possibilities and instruction.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Blue Gears and SearchVMware Pro Blogs: http://www.astroarch.com/wiki/index.php/Blog_Roll

Top Virtualization Security Links: http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_Links

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

benutzername · ‎01-19-2009

@Lightbulb: The command sounds great but is not implement on my esx machines. Is that a package I can install from bash?

@Texiwill: The idear is also very good, but not usable in this environment. It is a shared VMware Cluster for mutliple customers. There is no acces to any Domain.

Rumple · ‎01-19-2009

It sounds like you are using ESX without Virtual Center for hosting vm's. If that is the case I really hope you are not giving each customer the ability to manage their VM's using the VM Console directly from the ESX host.

Direct console access does not scale at all, and will quicly bring your ESX host to its knee's.

When providing console access/permissions to VM's best practice is to utilize VC and scale that server appropriately to handle the load. Your customers should also be made aware that console access is to be used only when necessary and not as a daily management console for their systems.

benutzername · ‎01-19-2009

Hi,

we are using Virtual Center. No one of the customer´s gets access to the ESX machines or to the Virtual Center.

Lightbulb · ‎01-20-2009

I am running ESX 3.5 on my test box at home and the bianary is under /usr/sbin/newusers . It is a standard Redhat command.

From the cli type:

ls -l /usr/sbin/newusers

benutzername · ‎01-20-2009

Hi Lightbulb,

seems to work very fine. Final Question: How do I add a user to the root group?

Lightbulb · ‎01-20-2009

Add users to wheel group in /etc/group

Open /etc/group in editor and append user names to wheel.

Example:

wheel:x:10:root,usrer1,user2,

This is not a best practice. For users that need some level of root access you might want to thin about sudo

Lightbulb · ‎01-20-2009

Sorry you must also update /etc/gshadow

Or better use the following command for each user

gpasswd -a user1 wheel

Texiwill · ‎01-20-2009

Hello,

If you use 'usermod' the PASSWD is a md5 hashed password held within single quotes.... The single quotes are to escape the necessary characters and not part of the password

TO add a user to a group you can use 'usermod'. Or even 'groupmod'... you may not want to use gpasswd directly. THat is up to you.

If you setup a NIS server then things would also work and be separate from the domain. Personally I would have a Customer Domain most likely within a VM and a Virtualization Management Domain that a customer would never see or have access.