VMware Cloud Community
joe533
Contributor
Contributor

Invoke-VMScript not authenticating against RedHat IdM

Does anyone have experience getting Invoke-VMScript working when authenticating against RedHat IdM?

I'm actually using Invoke-VMScriptPlus and during development I was using root with no issues. When I use the script outside of my lab I'll need to login against RedHat IdM (cached credentials on the guest OS actually) and it's failing to authenticate.

This IdM thing uses IPA client and kerberos I think, I'm not a linux expert by any means. Caching is turned in the client OS and if I disconnect the network I'm still able to login at the console (a disconnected network is the scenario in which my script will run to fix network settings among other things)

Based on VMware KB 78251  (and this other Veritas one  although I'm not using Veritas) I think my issue is with the /etc/pam.d/vmtoolsd file but can't find a config that seems to work.

Anyone know the secret sauce to get this working with RHEL 6, 7 an 8?

0 Kudos
10 Replies
LucD
Leadership
Leadership

Does the Verbose switch on Invoke-VMScriptPlus give any clues?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
joe533
Contributor
Contributor

Here's the output of verbose:

VERBOSE: 2023/03/05 11:23:21 Get-View Finished execution
VERBOSE: 2023/03/05 11:23:21 Get-View Finished execution
VERBOSE: 2023/03/05 11:23:21 Get-View Finished execution
VERBOSE: 2023/03/05 11:23:21 Get-View Finished execution
VERBOSE: No GuestOSType value provided. Trying to determine now.
VERBOSE: It's a Linux guest OS
VERBOSE: Seems to be a Linux guest OS
VERBOSE: Add SheBang #!/usr/bin/env bash
Exception calling "CreateTemporaryDirectoryInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials."
At C:\Users\redacted\Invoke-VMScriptPlus.ps1:406 char:104
+ ... oraryDirectoryInGuest($moref, $auth, "$($env:USERNAME)_$($PID)", $nul ...
+ ~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : VimException

VERBOSE: Created temp folder in guest OS
VERBOSE: Encountered a problem creating the script file in the guest OS
Exception calling "CreateTemporaryFileInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials." Exception calling
"CreateTemporaryDirectoryInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials."[0].Exception.Message
At C:\Users\redacted\Invoke-VMScriptPlus.ps1:423 char:17
+ Throw "$error[0].Exception.Message"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Exception calli...ception.Message:String) [], RuntimeException
+ FullyQualifiedErrorId : Exception calling "CreateTemporaryFileInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials." Exception calling "CreateTemporaryDirectoryInGuest" with "5" argument(s): "Failed to authenticate with the guest operating system using the supplied credentials."[0].Exception.Message

 

And the vmware.log from ESX for the log:


2023-03-05T16:23:22.120Z| vmx| I125: VigorTransportProcessClientPayload: opID=20889671-d8-ebc3 seq=10866: Receiving GuestOps.CreateTemporaryDirectory request.
2023-03-05T16:23:25.095Z| vcpu-12| I125: VigorTransport_ServerSendResponse opID=20889671-d8-ebc3 seq=10866: Completed GuestOps request with messages.
2023-03-05T16:23:25.392Z| vmx| I125: VigorTransportProcessClientPayload: opID=338db5ac-c0-ebda seq=10877: Receiving GuestOps.CreateTemporaryFile request.
2023-03-05T16:23:25.865Z| vcpu-13| I125: VigorTransport_ServerSendResponse opID=338db5ac-c0-ebda seq=10877: Completed GuestOps request with messages.

 

From inside the guest OS (/var/log/vmware-vmsvc-root.log):

[2023-03-05T16:23:21.746Z] [ message] [vix] VixTools_ProcessVixCommand: command 182
[2023-03-05T16:23:21.746Z] [ message] [VCGA] Pref_Init: Using '/etc/vmware-tools/vgauth.conf' as preferences filepath
[2023-03-05T16:23:21.746Z] [ message] [VCGA] VGAuth 'build-15389592' initialized for application 'vmtoolsd'. Context created at 0x5565393446b0
[2023-03-05T16:23:21.747Z] [ message] [VCGA] PAM up and running.
[2023-03-05T16:23:24.652Z] [ warning] [VCGA] PAM error: Permission denied (6), mapped to VGAuth error 12
[2023-03-05T16:23:24.652Z] [ warning] [vix] VixToolsImpersonateUser: impersonation failed (3050)
[2023-03-05T16:23:24.652Z] [ message] [vix] VixToolsCreateTempFileInt: opcode 182 returning 3050
[2023-03-05T16:23:24.652Z] [ message] [vix] ToolsDaemonTcloReceiveVixCommand: command 182, additionalError = 4294967294
[2023-03-05T16:23:25.003Z] [ message] [vix] VixTools_ProcessVixCommand: command 181
[2023-03-05T16:23:25.421Z] [ warning] [VCGA] PAM error: Permission denied (6), mapped to VGAuth error 12
[2023-03-05T16:23:25.421Z] [ warning] [vix] VixToolsImpersonateUser: impersonation failed (3050)
[2023-03-05T16:23:25.421Z] [ message] [vix] VixToolsCreateTempFileInt: opcode 181 returning 3050
[2023-03-05T16:23:25.421Z] [ message] [vix] ToolsDaemonTcloReceiveVixCommand: command 181, additionalError = 4294967292

 

0 Kudos
joe533
Contributor
Contributor

Not sure why my replies with the outputs are not appearing so attaching it as a txt instead.

0 Kudos
LucD
Leadership
Leadership

Looks like the account you are using doesn't have the required permissions to create a directory in that location.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Tags (1)
0 Kudos
LucD
Leadership
Leadership

Sounds a bit like the open-vm-tools #Issue345, where the cause was characters (like $) in the password.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
joe533
Contributor
Contributor


@LucD wrote:

Sounds a bit like the open-vm-tools #Issue345, where the cause was characters (like $) in the password.


I'm passing credentials as pscredential so I assume special characters in the password aren't an issue. (That's for testing this issue, in my real script I take the pscredential and pass the username and password as $mycred.username and $mycred.password since my script works for Windows too and I need to adjust the username in certain cases)

0 Kudos
LucD
Leadership
Leadership

Did you already try with another account?
Which one are you using currently? The 'root' account? Is that enabled?
Did you already try with a simple command in the ScriptText parameter, like for example '/bin/sudo ls'?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
joe533
Contributor
Contributor


@LucD wrote:

Did you already try with another account?
Which one are you using currently? The 'root' account? Is that enabled?
Did you already try with a simple command in the ScriptText parameter, like for example '/bin/sudo ls'?


I modified the script to create the temp directory in /tmp/ so there should not be any permission issues.

When the following code is run where $c is set to root, everything is great.

When $c is set to my IdM user it fails. Note that my account is not in /etc/passwd because it's not a local account

$c = Get-Credential
. 'C:\redacted\Invoke-VMScriptPlus2.ps1'

$pScript = @'
pwd
ls -l
'@

$sCode = @{
VM = "myvm"
GuestCredential = $c
SkipCertificateCheck = $true
ScriptType = 'bash'
ScriptText = $pScript
}

Invoke-VMScriptPlus @scode -Verbose

 

The contents of /etc/pam.d/vmtoolsd:

#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth

I've tried adding the line in the VMware KB (and rebooted the vm) but it changed nothing. 

0 Kudos
LucD
Leadership
Leadership

I guess you mean KB78251?

But it seems to me that this is more of an open-vm-tools issue with IdM.
And I'm afraid I'm a noob concerning all things PAM.

Perhaps you could create an Issue in the open-vm-tools repo
Or ask the question in the Virtual Machine, Guest OS and VM Tools Discussions community on VMTN.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
joe533
Contributor
Contributor

Problem solved and it was on the IdM side.

The github post I made gave me the ideal to check journalctl . I could see authentication was ok but I was getting access denied on the vmtoolsd service.

I came across this post  where your last reply had the same error I was getting. IdM has some HBAC rules which appeared to limit what service I could "use". I got vmtoolsd added as a test and everything works! Now there's a 90 second delay when running my script if the network is unavailable but that's not a VMware problem 🙂

0 Kudos