Hi,
I have a VMware estate of 70 ESX servers running ESX 3.5 and i want to be able to manage login's better, i'm familiar with adding user accounts and groups either through VI or using a command. What i want to do if possible is be able to create different groups and edit there permissions on each host via a script, and then if possible add users to the identical group in Active Directory and manage users centrally via AD. if this isn't possible i would like to script adding user accounts and changing user permissions. I would like to keep it as managable as possible as controlling user accounts and permissions over 70 servers could prove to be tasking.
Many Thanks in advance
This is the best post I have seen about this task.
http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/
You could also look at Centrify.
here's a good .pdft worth looking at
thanks Troy, but what i want to do is be able to manage user accounts through AD groups created respective on each host. Or a better way of managing user accounts created locally with commands to change permissions.
rb
This is done with VI vCenter. If your vCenter machine is part of your domain, then you can have anyone access via their account.
Then you add permissions (either by the resource pool or VM level) for each VM you want them to have access to. I usually do this by group, because adding users is a tedium. so you can assign users to a group in AD and apply that group to a permission in VIC.
That's how we manage all of our users, you really can't use a script for this, because the ESX server doesn't have access to this info, only the vCenter machine does. Now maybe there is a script at the .NET level.. but it may be more trouble than it's worth.
Also There are 2 levels of groups, there are GUI VIC permissions and there are Web Access permissions. If you click view -> inventory -> virtual machines and templates and there is where you can set your web access permissions.
So you don't have to give everyone access to GUI (the only difference I found is snapshots. You can't do snapshots from the web, but everything else is there).
So if you move your VM's (in the machine / template view) to folders you can move ALL VM's pertaining to a particular group in one folder, and not touch your resource pools. Then apply the group permissions to that folder (set it for user access, administrator whatever) you are set. That makes things easy, and users can access what they need.
Thanks for your detailed reply RParker it is much appreciated, however i may have been a little un clear.
The access i want to manage via AD is infact ESX login's to the Host's via console or SSH, releaving the root access of SSH capability. We have about 10 clusters with 7 hosts that all require different access for different people via SSH and i want to find the most manable approach for adding accounts and changing group/user permissions via script as GUI is on a per host basis.
rb
We have a similar challenge - being a primarily Windows shop , linux scripting skills are a little thin on the groud.
There are a number of 3rd party products you can use to integrate the service console with active directory - probably the most fully featured is Centrify.
Hello,
Check out the following. http://www.astroarch.com/wiki/index.php/Remote_Authentication
There are many ways to get AD auth into ESX. Also this is laid out in my upcoming book and my next book.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast
Ah yes Active Directory authentication on ESX servers. This is a common question and it is possible and this is how to go about it...
http://www.vmadmin.co.uk/resources/35-esxserver/55-esxadauth
Andy, VMware Certified Professional / VMware vExpert Award 2009
If you found this information useful please award points using the buttons at the top of the page accordingly.
This is the best post I have seen about this task.
http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/
You could also look at Centrify.
Here's my kickstart script for LDAP Auth
###############################
Configure AD Authentication #
###############################
echo " Configure AD Authentication" >> /tmp/PostInstall.log
/usr/sbin/esxcfg-auth --enablead --addomain=test.net --addc=192.168.142.1
/usr/sbin/esxcfg-auth --enablekrb5 --krb5realm=test.net --krb5kdc=192.168.142.1 --krb5adminserver=192.168.142.1
echo "auth sufficient /lib/security/pam_unix_auth.so shadow nullok" >> /etc/pam.d/vmware-authd
cat > /etc/krb5.conf << KRB5
Autogenerated by /usr/sbin/esxcfg-auth
.test.net = TEST.NET
test.net = TEST.NET
default_realm = TEST.NET
TEST.NET = {
admin_server = 192.168.142.1:749
default_domain = test.net
kdc = 192.168.142.1:88
kdc = 192.168.142.2:88
}
KRB5
echo " Configure AD Authentication completed" >> /tmp/PostInstall.log
Centrify looks like the way forward thanks for that, anothe product to consider is Windows Identity Management....
Richard
We do the following in our environment:
1. Use Veeam Root Access to disable console access for root
2. Enable Active Directory authentication on the ESX Server
3. Create your user ID's on the ESX Server : This should be the same as your active directory logon
4. You Admins shld be able to logon thru SSH using the active directory ID
5. Once they do , they need to do su - for obtaining privilege or you can modify the sudo.log file and give specifc permissions based on administrator role.
Go thru this link which will address the authentication issues: http://communities.vmware.com/message/662992
Cheers
Kumar KV
If you find this helpful don't forget to award points