tomsmig
Contributor
Contributor

vMA 6.0 Active Directory user login

Jump to solution

I've successfully joined vMA to AD domain, however AD users can login to appliance only using local console (login: class\Administrator) but not using ssh.

Here is example:

login as: Administrator@class.local@vma1

Welcome to SUSE Linux Enterprise Server 11 SP3 for VMware  (x86_64) - Kernel \r (\l).

Using keyboard-interactive authentication.

Password:

Access denied

Messages from /var/log/messages

2015-08-28T11:59:01+02:00 vma1 sshd[5545]: Invalid user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:59:01+02:00 vma1 sshd[5545]: input_userauth_request: invalid user 'class\\\\Administrator'@vma1 [preauth]

2015-08-28T11:59:01+02:00 vma1 sshd[5545]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40538 ssh2 [preauth]

2015-08-28T11:59:04+02:00 vma1 sshd[5547]: pam_unix2(sshd:auth): Unknown option: `try_first_pass'

2015-08-28T11:59:04+02:00 vma1 sshd[5547]: pam_tally2(sshd:auth): pam_get_uid; no such user

2015-08-28T11:59:08+02:00 vma1 sshd[5545]: error: PAM: User not known to the underlying authentication module for illegal user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:59:08+02:00 vma1 sshd[5545]: Failed keyboard-interactive/pam for invalid user 'class\\Administrator'@vma1 from 10.216.1.143 port 40538 ssh2

2015-08-28T11:59:08+02:00 vma1 sshd[5545]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40538 ssh2 [preauth]

Messages from /var/log/auth.log

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: Invalid user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: Invalid user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: input_userauth_request: invalid user 'class\\\\Administrator'@vma1 [preauth]

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: input_userauth_request: invalid user 'class\\\\Administrator'@vma1 [preauth]

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2 [preauth]

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2 [preauth]

2015-08-28T11:57:53+02:00 vma1 sshd[5540]: pam_unix2(sshd:auth): Unknown option: `try_first_pass'

2015-08-28T11:57:53+02:00 vma1 sshd[5540]: pam_tally2(sshd:auth): pam_get_uid; no such user

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: error: PAM: User not known to the underlying authentication module for illegal user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: error: PAM: User not known to the underlying authentication module for illegal user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: Failed keyboard-interactive/pam for invalid user 'class\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: Failed keyboard-interactive/pam for invalid user 'class\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2 [preauth]

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2 [preauth]

already tried different combinations all with similar results

'class\Administrator'@vma1

class\\Administrator@vma1

class\\Administrator@vma1

Administrator@class.local

Administrator@class@vma1

Administrator/class

class/administrator

class\\Administrator@local

'class\\Administrator'@local

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
VIR2AL3X
Enthusiast
Enthusiast

tomsmig‌ - just as akarydas2‌ mentioned, you need to comment out the "Allow Groups" line in the sshd_config file.  This is mentioned in the original vMA 6.0 release notes.  You can do this by first logging in to the vMA as the vi-admin user, and then running the following command:

sudo vim /etc/ssh/sshd_config

2016-05-18_12-48-22.png2016-05-18_12-49-29.png

Once in the file, arrow down to the "Allow groups wheel" line and press letter "i" to insert and then place a "#" at the beginning of the line.  The line will turn blue when it is commented out.

2016-05-18_12-50-52.png 2016-05-18_12-51-17.png

To save it, press "Esc" then enter a colon ":" then type "wq" (write + quit)

2016-05-18_12-51-41.png

Next, type: sudo reboot followed by the vi-admin password.

2016-05-18_12-59-23.png

After the vMA has rebooted, you can SSH via PuTTy using your administrator@class.local  credentials.  There is no need to append "@vma1" to the end.  I hope this helps!

2016-05-18_13-06-53.png

View solution in original post

0 Kudos
3 Replies
akarydas2
Enthusiast
Enthusiast

From the release notes of the vMA version 6.0:

If you want direct SSH access to the appliance with Active Directory credentials, then comment out the AllowGroups line in the sshd_config file.

0 Kudos
VIR2AL3X
Enthusiast
Enthusiast

tomsmig‌ - just as akarydas2‌ mentioned, you need to comment out the "Allow Groups" line in the sshd_config file.  This is mentioned in the original vMA 6.0 release notes.  You can do this by first logging in to the vMA as the vi-admin user, and then running the following command:

sudo vim /etc/ssh/sshd_config

2016-05-18_12-48-22.png2016-05-18_12-49-29.png

Once in the file, arrow down to the "Allow groups wheel" line and press letter "i" to insert and then place a "#" at the beginning of the line.  The line will turn blue when it is commented out.

2016-05-18_12-50-52.png 2016-05-18_12-51-17.png

To save it, press "Esc" then enter a colon ":" then type "wq" (write + quit)

2016-05-18_12-51-41.png

Next, type: sudo reboot followed by the vi-admin password.

2016-05-18_12-59-23.png

After the vMA has rebooted, you can SSH via PuTTy using your administrator@class.local  credentials.  There is no need to append "@vma1" to the end.  I hope this helps!

2016-05-18_13-06-53.png

View solution in original post

0 Kudos
tomsmig
Contributor
Contributor

Thanks, that is good explanation Smiley Happy

0 Kudos