Thank you! I had a hard time trying to find any information on this...

In my environment , I found only users with Domain Admin or Administrators group privilege can log onto the vMA.

Is this ture?

I used a test domain account and it was able to login to the vma, it does not have rights, but still able to login. I followed the steps in lsassd.conf file but I am having issues.

domain\user works

vi-admin works

domain\group does not work

Not sure why, anyone?

So far on my vMA, I can only use users with Domain Admin or Administrators privilege to log onto the vMA.

Even I modify the /etc/likewise/lsassd.conf file and add the following line:

require-membership-of = Administrator, mydomain\serviceGroup, mydomain\ESX^Admins

Restart the service and still can't get any accounts in the "serviceGroup" or the "ESX Admins" group to log on successfully.

Anyone has similar problems and solutions?

hey mobychein,

did you mean Administrator as a local user? i didnt see domain name before it.

Try to to leave only mydomain\serviceGroup without the others groups..

btw, mydomain\ESX^Admins you shouldn't write the ^ its works fine without it "mydomain\ESX Admins"

I can confirm this works on individual users, I don't have a group to test with, but you may want to take a look at the logs while performing the logins.

I basically added only 1 user to the access list and tried to login with another user and you should see something like this in the logs:

Oct 20 07:31:39 tancredi lsassd[2048]: 0x4571f940:Error: User [primp] not in restricted login list
Oct 20 07:31:45 tancredi lsassd[2048]: 0x49325940:KRB5 Error at krbtgt.c:130: [Code:-1765328360] [Message: Preauthentication failed]
Oct 20 07:31:45 tancredi lsassd[2048]: 0x49325940:Failed authenticate user [primp] [code 32789]

You should setup another SSH session and run the command:

tail -f /var/log/messages

With regards to restarting the service, that is unnecessary and may not work actually. You just need to reload the configuration by running:

sudo /opt/likewise/bin/lw-refresh-configuration

I also have other tips/tricks on using Likewise here on my blog that may also be of help - http://www.virtuallyghetto.com/2010/06/how-to-configure-likewise-open-ad.html

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware VCP3,4

VMware VCAP4-DCA

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Yes, I have the following line in the in /etc/likewise/lsassd.conf:

require-membership-of = mydomain\serviceGroup

Did the "sudo /opt/likewise/bin/lw-refresh-configuration" command

then add the user to the serviceGroup, and try to lon onto vMA and failed

Check the error log using

sudo tail -20 /var/log/messages

got these error messages:

Oct 21 13:29:12 myvma lsassd[2074]: 0x4485d940:User S-1-5-21-313401996-1908442290-172059434-1113 has an invalid value for the userAccountControl attribute. Please check that it is set and that the machine account has permission to read it.

Oct 21 13:29:12 myvma lsassd[2074]: 0x47061940:User S-1-5-21-313401996-1908442290-172059434-1113 has an invalid value for the userAccountControl attribute. Please check that it is set and that the machine account has permission to read it.

However, I could use any of the user accounts in the Domain Admin or Administrators groups, to log onto the vMA.

<Deleted>

I configure /etc/ssh/sshd_config to only allow certain groups to login, it works perfectly.

AllowGroups

Thanks for the suggestions.

But, we still tried to figure out why normal user account can't log onto the vMA in our case.