6 Replies Latest reply on Jan 14, 2012 2:56 AM by peetz

    AD Directory Services .. change default ESX Admins group

    conradsia Hot Shot

       

      I joined my 4.1 server to the domain but the default group that it wants to authenticate against it "ESX Admins" but I need to change that because our different divisions need to use their own groups for authentication so we don't all have access to each others servers.

       

       

      Has anyone figured out how to change this group?

       

       

      Also we used to use AD authentication with the esxcfg-auth -enablead etc .. commands and I tried to do this with the enablekerboros command but I am running into issues this way too. Authentication is successful then I get "permission denied". Has anyone got the "old" way working with AD authentication.

       

       

       

       

       

      Thanks

       

       

        • 1. Re: AD Directory Services .. change default ESX Admins group
          cblomart Enthusiast

           

          Also had the problem and made kerberos work:

           

           

          esxcfg-auth --enablekrb5 --krb5realm=$addomain --krb5kdc=$adserver --krb5adminserver=$adserver

           

           

          The trick is to make the users members of an authorized group/username. This is set in /etc/security/access.conf

           

           

          1. cat /etc/security/access.conf

          +:root:ALL

          +:vpxuser:ALL

          +:vslauser:ALL

          -:ALL:ALL

          so i made my used member of root group

           

           

          useradd -G root <user>

           

           

          It would be best to have more documentation on ad membership and to be able to set @ deployement (kickstart)

           

           

          The few command i read about on the forum are from RCLI:

           

           

          esxcfg-user

           

           

          vicfg-authconfig

           

           

          I suppose this is part of VMware view of remote management...  it still doesn't integrate properly with our PXE deployement tool (Altiris).

           

           

          Cédric

           

           

          1 person found this helpful
          • 2. Re: AD Directory Services .. change default ESX Admins group
            conradsia Hot Shot

             

            Thanks for that info. Two things came about from making that change.

             

             

            1. The change is not persistent and reverts after and a reboot. How did you make the change persistent?

             

             

            2. Even though I can authenticate it is asking me to change my password and then fails to login. Did you experience this? I've seen this happen when my password is expiring but in this case it is not.

             

             

            I am going to open a support call and see if there is a way to change the group that it wants to authentticate in AD in because this is ideally what I want to do. I will follow up.

             

             

            • 3. Re: AD Directory Services .. change default ESX Admins group
              cblomart Enthusiast

              As changes are not persistent, i simply made my new users members of a standardly authorized group.

              By default the "root" group is authorized so i made users member of this group.

              Concerning password reset i can not help you directly. My first guess would be that the password complexity enforced by ESX is tigther than the one in AD. I would not rely on password changes trought the ESX self. The best option would be to align policies of ESX ad AD.

               

              Ps:

              the access.conf mentionned is the default one so no change are needed for this one

              again that's why i made users members of root group event if vpxuser can be considered

              here is what can be found on password trought esxcfg-auth -p (i added the comments):

              PASS_MAX_DAYS   99999 #(+/- 300 years)

              PASS_MIN_DAYS   0           #(reset new passwords ok)

              PASS_MIN_LEN    5             #(at least 5 characters)

              PASS_WARN_AGE   7       #(warning during 1 week)

              An other default setting that might be intresting in /etc/pam.d/system-auth:

              password        required        /lib/security/$ISA/pam_passwdqc.so          min=8,8,8,7,6 similar=deny match=0

              Meaning:

              -no similar passwords

              -min is a bit tricky (password class distinction) but basicaly a normal password should be 8 characters long and a strong password can be 6 characters long...

              1 person found this helpful
              • 4. Re: AD Directory Services .. change default ESX Admins group
                conradsia Hot Shot

                So it turns out my password was set to expire on the creation date of the account (strangely), so even though the AD authentication was successful the OS was requiring me to change my password.

                 

                I used chage -l <userrname> to see my settings and also passwd -S <username> and compared password settings to root.

                 

                 

                 

                After I changed the Max num of days to '-1' for my account the password was set to never expire and login was successful.

                 

                 

                 

                I'm going to go through my install and script again and see what could have caused that to happen, I'll also change the script to set esxcfg-auth --passmaxdays=-1

                 

                 

                 

                Thanks for your help. I still would like to change the esx admins group so I can add the server to the domain .... waiting to hear back from vmware.

                 

                 

                 

                 

                 

                -->> looking back in my script I noticed I already had the esxcfg-auth --passmaxdays=0 which worked in 4.0 and below but it now needs to be set to '-1' not '0' to turn off password aging globally.

                • 5. Re: AD Directory Services .. change default ESX Admins group
                  conradsia Hot Shot

                  I'm thinking of maybe just using ssh keys instead of AD ...

                  • 6. Re: AD Directory Services .. change default ESX Admins group
                    peetz Master
                    vExpertUser Moderators

                    With ESXi 5.0 this is now possible. Please see my blog post about this undocumented feature here:

                    http://v-front.blogspot.com/2012/01/undocumented-parameters-for-esxi-50.html

                     

                    - Andreas