Using this guide:
I've got my ESX box to auth users against AD. The problem is, when I try to logon with the VI Client I get "Error Connecting - Permission to perform this operation was denied.". If I enter the wrong password, it says "login failed due to a bad username or password." so it seems able to work out who I am.
If I pick a user who I've not run "useradd" for I just got the "login failed" message again.
In the server messages I get:
Aug 28 15:37:48 server vmware-authd(pam_unix)\: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=myaccount
Aug 28 15:37:49 server vmware-hostd\: pam_krb5: authentication succeeds for `myaccount
Aug 28 15:37:49 server vmware-hostd\: Accepted password for user myaccount from 184.108.40.206
Any ideas what else I need to do? NTP is running so the time is sync'd.
I tried adding the user account to the root group, but it still didn't work. I've seen other posts talk about adding it to the administrators/manager group but I know how as they don't seem to exist. Am I missing something?
You need to create a corresponding user with useradd apparently ...
For every user that you want to enable access through authentication to
Active Directory, you must also create a corresponding user on the ESX Server system using the useradd command.
That to me sounds like you need to create the user locally on ESX and on AD.
Haven't played with it yet though ...
That will setup access for SSH sessions, but doesn't authorize the user to access the host via the VIC.
I used to have this setup so I could access the MUI in ESX2.5 using AD credentials. The pam setup in ESX3 is different, and I've not had reason to provide this capability in ESX3, so haven't investigated further. There's probably a small change that needs to be applied to /etc/pam.d/vmware-authd
Check out the posting here:
This provides pam changes that appear to work. Note: I've not tested them, so cannot verify whether it works or possibly compromises security.
Message was edited by:
Followup note: Those are legacy settings, similar to what I did in ESX 2.5. They may work, but there is probably a better way.
Ok, got it! Using this link:
If I go into the "permissions" tab in the VIClient, add my AD account as an administrator then it works.
Thanks for the amazingly quick responses though.
The file in question is the authorization.xml which has the users that the VIclient will use to connect. This list of users is different then the ones used for ssh