VMware Cloud Community
dougdavis22
Hot Shot
Hot Shot
‎07-13-2010 03:37 AM

ESX 4.1 Authentication Services

Just installed a 4.1 (full-fat) host & joined it to a domain using the new Authentication Services options.

Am I correct in understanding that this does not replace the need to configure AD authentication for the Service Console as before? It looks like this just allows for access to be granted to the host via the VI Client for AD users, rather than being able to configure AD users to have access to the Service Console - am I correct?

Not worried if that is the case, just need to understand if my build scripts need to change in this regard.

Cheers,

Doug.

Tags (2)
Reply
0 Kudos
12 Replies
billhill
Enthusiast
Enthusiast
‎07-13-2010 01:44 PM

Hi Doug,

The Active Directory authentication service in 4.1 is actually used for any authentication to the ESX host. This includes local console, local tech support, remote tech support (SSH access), scripts/APIs, and vSphere Client.

The ESX host will look for an AD group called 'ESX Admin'. Any AD user in that group will have full administrator access to the host via the methods above. You can create other groups in the Domain and assign rights to that group... in the event that you want more granular security.

Is that what you are looking for?

~Bill

Reply
kac2
Expert
Expert
‎07-13-2010 01:59 PM

take a look at this Video

VIDEO: New vSphere 4.1 Windows Active Directory Authentication

Reply
dougdavis22
Hot Shot
Hot Shot
‎07-15-2010 08:24 AM

Thanks guys.

My next question then is this - how do I set up AD authentication like this as part of my kickstart script? esxcfg-auth doesn't seem to have any options to join a domain, but I notice that vicfg-authconfig on the vCLI does.

Help!?!?

Cheers,

Doug.

Reply
0 Kudos
lamw
Community Manager
Community Manager
‎07-15-2010 08:31 AM

I did not see any local commands on the host either, you would need to use either the vSphere Client or vCLI's esxcfg-authconfig to join a host to AD.

However, the way AD integration is currently being handled is using Likewise's Open software which is included in both ESX and ESXi. You could go in and edit the appropriate files to get AD auth working but I'm not sure what files you'll need to mess with. You'll want to take a look at the host before it joins AD and check out /etc/likewise/ which is where all the Likewise configuration files are located at and figure out what daemons need to run. Then manually join your host to AD and see what has changed, I know there's going to be few files you'll need to edit which may require some trial/error

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
billhill
Enthusiast
Enthusiast
‎07-15-2010 08:38 AM

Hi Doug,

I would suggest placing the code in a %POST section of your script.

Specifically, the following should work:

vicfg-authconfig --server=

This is care of: KB 1021970

The KB article lists a couple other commands that may be nice to know about for troubleshooting. Specifically, 'esxcfg-authonfig -a' and 'lw-lsa get-status'.

~Bill

Reply
0 Kudos
lamw
Community Manager
Community Manager
‎07-15-2010 08:46 AM

Bill,

That is a vCLI command which is NOT the same command available on the ESX/ESXi host. This would not allow you to automate this via a kickstart script which is what the initial question was asking.

A) Figure out what files or daemons to launch to get it built into the kicstart

OR

B) Use vCLI/vMA/PowerCLI to run post configurations on a separate management host to join the host to AD

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
dougdavis22
Hot Shot
Hot Shot
‎07-15-2010 09:19 AM

William,

Using the vCLI seems like a reasonable way to do this. I've just been trying it & can get the host to join the domain without a problem. But, how can I then assign administraor permissions on the host to a domain-based group so that I can then SSH to the host using a domain account?

I don't think vicfg-user covers it, but may be wrong.

Cheers,

Doug.

Reply
0 Kudos
lamw
Community Manager
Community Manager
‎07-15-2010 09:38 AM

Take a look at this blog article http://technodrone.blogspot.com/2010/07/esxi-41-active-directory-integration.html for your answer, you'll need to do a few more things before that'll work .... at least on the AD side of things. I know this is also detailed in the documentation which is also worth checking out if you have not already.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
dougdavis22
Hot Shot
Hot Shot
‎07-15-2010 11:56 AM

Thanks William.

That post has no more information about resolving my issue - I can easily login to the host using the vSphere Client & set permissions for an AD group which then allows SSH access for members of it, but I need to be able to do that from the vCLI otherwise I may as well make the authentication service setup a manual task at the end of each build.

I'm really surprised that this isn't more self-explanatory or at least properly documented.

Reply
0 Kudos
lamw
Community Manager
Community Manager
‎07-15-2010 12:26 PM

So if the question is around setting up the permissions, you'll need to look at using esxcfg-user, not sure if you can do it using the default canned script. Anything you can do using the vSphere Client can be scripted, there just may not be a script out that that does the exact task.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
cblomart
Enthusiast
Enthusiast
‎07-15-2010 01:40 PM

I had the same issue:

Configuring AD membership in kickstart.... but no luck

I am also surporised that the good old "esxcfg-auth --enablead" has been deprecated... i didn't find any change notice of this... and reclaimed more documentation on this from our vmware support without luck... The least to say is that documentation is scarce...

I was realy "excited" to use the likewize module but fall back to use kerberos "-enbalekrb5" instead of the original "--enablead".

...Still have some issues with "/etc/security/access.conf" that doesn't want to change properly ;-

Ced

Reply
0 Kudos
RobMokkink
Expert
Expert
‎07-20-2010 09:50 AM

Can you see VMware is pushin ESXi very hard at the moment. I configured the ESX servers for AD authentication, but if you have a very large enviroment, with 50k of users in AD, you don't want your ESX servers be scanning for the "ESX admin" group.

I think we will go for ESXi, because kickstart is now also supported.

Reply
0 Kudos