Re: Host profile permission rules

RLsh · ‎11-21-2010

I have problem with host profile in vCenter 4.1

I noticed that host profile can join ESXi to the domain, and create permission rules to grant permissions to local and domain users and groups.

My problem is, when I create permission rule for active directory user or group, "apply" will add the domain user or group,

but afterwards host remains not compliant with the failure:

"A permission for user or group <DomainName\group> does not exist" (even that i can see the permission when i connect to the host)

by that the host will never be compliant although the user or group created by the host profile.

Local user works perfectly with host profile permission rules...

thanks.

mal_michael · ‎11-22-2010

I can see this behavior in my environment too.

Local users / groups are OK. But with domain users / groups the compliance check always fails, even the permissions are in place (ESXi 4.1).

Possibly a bug. Can someone confirm this works?

Michael.

s1m0nb · ‎01-20-2011

Same problem here - did you get anywhere with this?

mal_michael · ‎01-23-2011

Hi,

Currently we have no time to contact VMware support or investigate the issue, so we stopped using permission rules and add the permissions manually (we have only one permission to add) as part of ESXi install procedure.

But if you find the solution, please post it in the thread.

Michael.

s1m0nb · ‎01-31-2011

Have you created an AD group called "ESX Admins" -- it seems like when you join an esxi host to the domain -- and this esx admins group exists it is added by default to the local groups on the host.

Anyway worked for us -- hidden somewhere in the docs..

mal_michael · ‎02-01-2011

Did you stop to use Host Profiles' permission rules and rely on ESX to add the "ESX Admins" group by itself?

Or you have created permission rule for "ESX Admins" group and it works fine?

Anyway, we have a naming convention for AD groups and "ESX Admins" is not acceptable in our environment.

Thanks,

Michael.

AnthonyF2011101 · ‎04-12-2011

Was a resolution ever found to this problem as i'm also experiencing this on ESX 4.1

s1m0nb · ‎04-12-2011

Yes for us we simply created an ad group called esx admins - I believe the group is then added by default to the esx host

AnthonyF2011101 · ‎04-12-2011

I've created the group in my AD, with exact name including case "ESX Admins" .

But when applying my test host profile to an ESX server it fails with the error "The user or group named '<domain>\esx^admins' does not exist"

The group has existed for long enough for any replications to occur, the syntax of the error made me question if the group name should be different, but that wouldnt match the documentation, so its just weird at the moment.

s1m0nb · ‎04-12-2011

I don't believe you need to specify the group in the profile. If you just add to the domain the group is added by default

AnthonyF2011101 · ‎04-12-2011

Sorry im only providing half the story.

In my host profile, under Security Configuration -> Permission Rules -> Permission

I've specified an AD Group name, ticked the refers to a group of users box, typed "Admin" for the role name and ticked the propogate permission box.

This setting and the join the domin setting are the only 2 within this host profile and it fails to apply with the above error message.

mal_michael · ‎04-12-2011

Hi,

If you are going to use only "ESX Admins" group, you don't need to create rule in host profiles.

ESX will automatically grant permissions to that group.

Michael.

All

Host profile permission rules