Contributor
Contributor

vMA 6.0 Active Directory user login

Jump to solution

I've successfully joined vMA to AD domain, however AD users can login to appliance only using local console (login: class\Administrator) but not using ssh.

Here is example:

login as: Administrator@class.local@vma1

Welcome to SUSE Linux Enterprise Server 11 SP3 for VMware  (x86_64) - Kernel \r (\l).

Using keyboard-interactive authentication.

Password:

Access denied

Messages from /var/log/messages

2015-08-28T11:59:01+02:00 vma1 sshd[5545]: Invalid user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:59:01+02:00 vma1 sshd[5545]: input_userauth_request: invalid user 'class\\\\Administrator'@vma1 [preauth]

2015-08-28T11:59:01+02:00 vma1 sshd[5545]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40538 ssh2 [preauth]

2015-08-28T11:59:04+02:00 vma1 sshd[5547]: pam_unix2(sshd:auth): Unknown option: `try_first_pass'

2015-08-28T11:59:04+02:00 vma1 sshd[5547]: pam_tally2(sshd:auth): pam_get_uid; no such user

2015-08-28T11:59:08+02:00 vma1 sshd[5545]: error: PAM: User not known to the underlying authentication module for illegal user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:59:08+02:00 vma1 sshd[5545]: Failed keyboard-interactive/pam for invalid user 'class\\Administrator'@vma1 from 10.216.1.143 port 40538 ssh2

2015-08-28T11:59:08+02:00 vma1 sshd[5545]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40538 ssh2 [preauth]

Messages from /var/log/auth.log

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: Invalid user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: Invalid user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: input_userauth_request: invalid user 'class\\\\Administrator'@vma1 [preauth]

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: input_userauth_request: invalid user 'class\\\\Administrator'@vma1 [preauth]

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2 [preauth]

2015-08-28T11:57:49+02:00 vma1 sshd[5538]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2 [preauth]

2015-08-28T11:57:53+02:00 vma1 sshd[5540]: pam_unix2(sshd:auth): Unknown option: `try_first_pass'

2015-08-28T11:57:53+02:00 vma1 sshd[5540]: pam_tally2(sshd:auth): pam_get_uid; no such user

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: error: PAM: User not known to the underlying authentication module for illegal user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: error: PAM: User not known to the underlying authentication module for illegal user 'class\\Administrator'@vma1 from 10.216.1.143

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: Failed keyboard-interactive/pam for invalid user 'class\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: Failed keyboard-interactive/pam for invalid user 'class\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2 [preauth]

2015-08-28T11:57:57+02:00 vma1 sshd[5538]: Postponed keyboard-interactive for invalid user 'class\\\\Administrator'@vma1 from 10.216.1.143 port 40528 ssh2 [preauth]

already tried different combinations all with similar results

'class\Administrator'@vma1

class\\Administrator@vma1

class\\Administrator@vma1

Administrator@class.local

Administrator@class@vma1

Administrator/class

class/administrator

class\\Administrator@local

'class\\Administrator'@local

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
Enthusiast
Enthusiast

tomsmig‌ - just as akarydas2‌ mentioned, you need to comment out the "Allow Groups" line in the sshd_config file.  This is mentioned in the original vMA 6.0 release notes.  You can do this by first logging in to the vMA as the vi-admin user, and then running the following command:

sudo vim /etc/ssh/sshd_config

2016-05-18_12-48-22.png2016-05-18_12-49-29.png

Once in the file, arrow down to the "Allow groups wheel" line and press letter "i" to insert and then place a "#" at the beginning of the line.  The line will turn blue when it is commented out.

2016-05-18_12-50-52.png 2016-05-18_12-51-17.png

To save it, press "Esc" then enter a colon ":" then type "wq" (write + quit)

2016-05-18_12-51-41.png

Next, type: sudo reboot followed by the vi-admin password.

2016-05-18_12-59-23.png

After the vMA has rebooted, you can SSH via PuTTy using your administrator@class.local  credentials.  There is no need to append "@vma1" to the end.  I hope this helps!

2016-05-18_13-06-53.png

View solution in original post

0 Kudos
3 Replies
Enthusiast
Enthusiast

From the release notes of the vMA version 6.0:

If you want direct SSH access to the appliance with Active Directory credentials, then comment out the AllowGroups line in the sshd_config file.

0 Kudos
Enthusiast
Enthusiast

tomsmig‌ - just as akarydas2‌ mentioned, you need to comment out the "Allow Groups" line in the sshd_config file.  This is mentioned in the original vMA 6.0 release notes.  You can do this by first logging in to the vMA as the vi-admin user, and then running the following command:

sudo vim /etc/ssh/sshd_config

2016-05-18_12-48-22.png2016-05-18_12-49-29.png

Once in the file, arrow down to the "Allow groups wheel" line and press letter "i" to insert and then place a "#" at the beginning of the line.  The line will turn blue when it is commented out.

2016-05-18_12-50-52.png 2016-05-18_12-51-17.png

To save it, press "Esc" then enter a colon ":" then type "wq" (write + quit)

2016-05-18_12-51-41.png

Next, type: sudo reboot followed by the vi-admin password.

2016-05-18_12-59-23.png

After the vMA has rebooted, you can SSH via PuTTy using your administrator@class.local  credentials.  There is no need to append "@vma1" to the end.  I hope this helps!

2016-05-18_13-06-53.png

View solution in original post

0 Kudos
Contributor
Contributor

Thanks, that is good explanation Smiley Happy

0 Kudos