RichardBrown
Contributor
Contributor

ESX and Active Directory

Jump to solution

Hi,

I have a VMware estate of 70 ESX servers running ESX 3.5 and i want to be able to manage login's better, i'm familiar with adding user accounts and groups either through VI or using a command. What i want to do if possible is be able to create different groups and edit there permissions on each host via a script, and then if possible add users to the identical group in Active Directory and manage users centrally via AD. if this isn't possible i would like to script adding user accounts and changing user permissions. I would like to keep it as managable as possible as controlling user accounts and permissions over 70 servers could prove to be tasking.

Many Thanks in advance

0 Kudos
1 Solution

Accepted Solutions
dmn0211
Enthusiast
Enthusiast

This is the best post I have seen about this task.

http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/

You could also look at Centrify.

View solution in original post

0 Kudos
11 Replies
Troy_Clavell
Immortal
Immortal

here's a good .pdft worth looking at

http://www.vmware.com/pdf/esx3_esxcfg_auth_tn.pdf

0 Kudos
RichardBrown
Contributor
Contributor

thanks Troy, but what i want to do is be able to manage user accounts through AD groups created respective on each host. Or a better way of managing user accounts created locally with commands to change permissions.

rb

0 Kudos
RParker
Immortal
Immortal

This is done with VI vCenter. If your vCenter machine is part of your domain, then you can have anyone access via their account.

Then you add permissions (either by the resource pool or VM level) for each VM you want them to have access to. I usually do this by group, because adding users is a tedium. so you can assign users to a group in AD and apply that group to a permission in VIC.

That's how we manage all of our users, you really can't use a script for this, because the ESX server doesn't have access to this info, only the vCenter machine does. Now maybe there is a script at the .NET level.. but it may be more trouble than it's worth.

Also There are 2 levels of groups, there are GUI VIC permissions and there are Web Access permissions. If you click view -> inventory -> virtual machines and templates and there is where you can set your web access permissions.

So you don't have to give everyone access to GUI (the only difference I found is snapshots. You can't do snapshots from the web, but everything else is there).

So if you move your VM's (in the machine / template view) to folders you can move ALL VM's pertaining to a particular group in one folder, and not touch your resource pools. Then apply the group permissions to that folder (set it for user access, administrator whatever) you are set. That makes things easy, and users can access what they need.

0 Kudos
RichardBrown
Contributor
Contributor

Thanks for your detailed reply RParker it is much appreciated, however i may have been a little un clear.

The access i want to manage via AD is infact ESX login's to the Host's via console or SSH, releaving the root access of SSH capability. We have about 10 clusters with 7 hosts that all require different access for different people via SSH and i want to find the most manable approach for adding accounts and changing group/user permissions via script as GUI is on a per host basis.

rb

0 Kudos
ChrisDearden
Expert
Expert

We have a similar challenge - being a primarily Windows shop , linux scripting skills are a little thin on the groud.

There are a number of 3rd party products you can use to integrate the service console with active directory - probably the most fully featured is Centrify.

If this post has been useful , please consider awarding points. @chrisdearden http://jfvi.co.uk http://vsoup.net
Texiwill
Leadership
Leadership

Hello,

Check out the following. http://www.astroarch.com/wiki/index.php/Remote_Authentication

There are many ways to get AD auth into ESX. Also this is laid out in my upcoming book and my next book.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
Blue Gears and SearchVMware Pro Blogs -- Top Virtualization Security Links -- Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
atbnet
Expert
Expert

Ah yes Active Directory authentication on ESX servers. This is a common question and it is possible and this is how to go about it...

http://www.vmadmin.co.uk/resources/35-esxserver/55-esxadauth

Andy, VMware Certified Professional / VMware vExpert Award 2009

Help, Guides and How Tos

If you found this information useful please award points using the buttons at the top of the page accordingly.

Andy Barnes
VCP / VCA-DT / MCITP:EA / CCIA
Help, Guides and How Tos... www.VMadmin.co.uk

If you found this information useful please award points using the buttons at the top of the page accordingly.
0 Kudos
dmn0211
Enthusiast
Enthusiast

This is the best post I have seen about this task.

http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/

You could also look at Centrify.

View solution in original post

0 Kudos
vishy123
Enthusiast
Enthusiast

Here's my kickstart script for LDAP Auth

###############################

  1. Configure AD Authentication #

###############################

echo " Configure AD Authentication" >> /tmp/PostInstall.log

/usr/sbin/esxcfg-auth --enablead --addomain=test.net --addc=192.168.142.1

/usr/sbin/esxcfg-auth --enablekrb5 --krb5realm=test.net --krb5kdc=192.168.142.1 --krb5adminserver=192.168.142.1

echo "auth sufficient /lib/security/pam_unix_auth.so shadow nullok" >> /etc/pam.d/vmware-authd

cat > /etc/krb5.conf << KRB5

  1. Autogenerated by /usr/sbin/esxcfg-auth

.test.net = TEST.NET

test.net = TEST.NET

default_realm = TEST.NET

TEST.NET = {

admin_server = 192.168.142.1:749

default_domain = test.net

kdc = 192.168.142.1:88

kdc = 192.168.142.2:88

}

KRB5

echo " Configure AD Authentication completed" >> /tmp/PostInstall.log

RichardBrown
Contributor
Contributor

Centrify looks like the way forward thanks for that, anothe product to consider is Windows Identity Management....

0 Kudos
kumarkv
Enthusiast
Enthusiast

Richard

We do the following in our environment:

1. Use Veeam Root Access to disable console access for root

2. Enable Active Directory authentication on the ESX Server

3. Create your user ID's on the ESX Server : This should be the same as your active directory logon

4. You Admins shld be able to logon thru SSH using the active directory ID

5. Once they do , they need to do su - for obtaining privilege or you can modify the sudo.log file and give specifc permissions based on administrator role.

Go thru this link which will address the authentication issues: http://communities.vmware.com/message/662992

Cheers

Kumar KV

If you find this helpful don't forget to award points

Cheers Kumar KV If you find this helpful don't forget to award points
0 Kudos