hi, guys:
I have just installed a new vCenter 4.1 with 1 esxi 4.0u2 and 1 esxi 4.1.
I have downloaded vMA 4.1 and try to use AD auth to connect vCenter.
I have joined the vMA into domain and restarted vMA.
However, when I tried to add vCenter with --authpolicy adauth, it asked me to type in username for vCenter server.
I typed mydomain
myaccount
It gave me Error: Failed to add users
Can you tell me why?
Thanks alot
- Silver
My Vmware blog: http://geeksilverblog.com
sorry, it seems I can't type slash slash in this form.
I follow vMA 4.1 docs and typed MYDOMAIN "slash""slash" myusername
- Silver
My Vmware blog: http://geeksilverblog.com
If you look in /var/log/vmware/vma/vifpd.log you'll probably see an entry that says the following:
[2010-07-20 09:16:20.527 429C0940 info 'App'] command-> 1 [2010-07-20 09:16:20.528 4091D940 info 'App'] ADDSERVER [2010-07-20 09:16:20.528 429C0940 info 'App'] MessageQueue::RecvMessage - Queue id is 0 [2010-07-20 09:16:20.539 4091D940 info 'App'] Already connected. [2010-07-20 09:16:20.540 4091D940 error 'App'] addserver: Error occured while adding users for reflex.primp-industries.com ..rolling back. User PRIMP-INDUSTR IES.COM\primp does not exist. .
For whatever reason, it's unable to locate the user in the domain. However, if you do something like "id " I can verify that it does see the user. I can also verify by running lw-find-user-by-name:
[vi-admin@tancredi bin]$ ./lw-find-user-by-name primp User info (Level-0): ==================== Name: primp SID: S-1-5-21-503341760-968948550-2164105906-1105 Uid: 1058014289 Gid: 1058013696 Gecos: primp primp Shell: /bin/bash Home dir: /home/local/PRIMP-IND/primp
Might be another bug in vMA 4.1 ....
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Okay, I got it working and you may be running into the issue due few potential reasons.
1) After joining vMA to AD, you must reboot ... this was my issue
2) You only need to use the "2 slashes" if you specify --username from the CLI as the first "slash" would need to be escaped, else you only need to use "1 slash" if you're being prompted.
3) You're specifying the incorrect user and/or domain
For issue #2: You will need to do one of the following:
a)
[vi-admin@tancredi ~]$ sudo vifp addserver reflex.primp-industries.com --authpolicy adauth --username PRIMP-IND\\primp
b)
[vi-admin@tancredi ~]$ sudo vifp addserver reflex.primp-industries.com --authpolicy adauth Enter username for reflex.primp-industries.com: PRIMP-IND\primp
For issue #3, you may be providing the wrong username and/or domain. The easiest way to figure this out is to use Likewise's lw-find-user-by-name command:
[vi-admin@tancredi ~]$ /opt/likewise/bin/lw-find-user-by-name primp User info (Level-0): ==================== Name: primp SID: S-1-5-21-503341760-968948550-2164105906-1105 Uid: 1058014289 Gid: 1058013696 Gecos: primp primp Shell: /bin/bash Home dir: /home/local/PRIMP-IND/primp
The full username including domain that you must use is PRIMP-IND/primp as seen by the Home dir setting. You will need to substitute whatever username you're trying to query and ensure that matches up before providing that as "adauth" to vifp
Hopefully this help
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Hey guys, I think I'm having the same sort of issue.
1.) I downloaded and installed VMA
2.) I joined it to the domain, rebooted and then verified it with "sudo domainjoin-cli query"
3.) Logged in as vi-admin, I issue "vifp addserver fqdn-vcenterserver --authpolicy adauth"
4.) When prompted for the username, I get "Error: failed to add users" for any of the following responses: DOMAIN\username (with 2 slashes, but this forum breaks that), DOMAIN/username, or simply username
5.) When I enter DOMAIN\username, I don't get prompted for the password.
Any ideas?
If you take a look at my previous post, you'll realize there is a typo in VMware's documentation and I mentioned what you need to use in terms of the "slashes" that are required.
If you added your vCenter server and you waited for the username to be prompted, the proper syntax will be "DOMAIN\username" and if you get no output after the command, it means it was successful. You can easily validate that by listing all your fastpass targets and you'll notice there are two types: fpauth and adauth which are for fastpass auth using the normal credentials OR aduath where it's using AD
To do so, run:
[vi-admin@tancredi ~]$ vifp listservers -l esx4-1.primp-industries.com ESX fpauth manaslu.primp-industries.com vCenter fpauth esxi4-3.primp-industries.com ESXi fpauth reflex.primp-industries.com vCenter adauth
You can see the very last entry was added using adauth
Hopefully this clears up any confusion.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Yes, thank you William, that does clear up a bit of confusion. After its been added is the expected behavior that I should be able to login to VMA using my domain credentials and run vicfg commands against specific hosts without having to reauthenticate each time?
When I login using my domain credentials (which has full admin access in vCenter), and I attempt to run a command like vicfg-nics -l --vihost esxhostname, I get prompted for a username and password. Entering DOMAIN\username and password gets me "Error connecting to server at 'https://localhost/sdk/webService': Connection refused"
I guess I just want to make sure that its not working correctly, and not that I have different expectations.
Thanks so much for your help.
Yes, I have exact same trouble as Damina mentioned above.
I haven't touched server for over night. When I tried to log in again this morning, I saw following respond.
$ vifp addserver myvCenter.mydomain.com --authpolicy adauth
Enter username for myvCenter.mydomain.com: mydomain\myusername
That's it. The screen finished without asking me to even typing in password.
If you do a listservers, you will see vcenter server is there.
Then, I tried to run vicfg-nics -l, I got following.
Enter username: root
Enter password:
Error connecting to server at 'https://localhost/sdk/webService': Connection refused
I tired to remove vcenter from list and reboot vMA. nothing works.
Can you explains why it happens?
- Silver
My Vmware blog: http://geeksilverblog.com
If I may, I would like to add some interesting facts.
I tried the "id" command, I was log in as vi-admin. so it shows vi-admin.
Then, I tried to use /opt/likewise/bin/lw-find-user-by-name myusername
it says failed to located users. No such user.
Then, I logoff and log on as mydomain\myusername, I successfully logged in. (Does it proves I have added vMA to domain successfully?).
I also double check my domain and I can see my VMA machine account.
But my domain account doesn't allow me to use vifp and also I use /opt/likewise/bin/lw-find-user-by-name myusername to look for my domain user again, I got same failed to located users. No such user.
If I can recall, I encountered following things when I tried to join my vma to domain.
I got
Warning: Unknown pam module.
The likewise PAM module cannot be configured for the wbem service. This servics uses the '$ISA/pam_unix.so' module, which is not in this
programs' list of known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d
Warning: A resumeable error occured while processing a module.
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.
SUCCESS.
If I use sudo domainjoin-cli query, it shows everything correctly.
Was my joining to domain success or failure? Why I can't search my domain account?
- Silver
My Vmware blog: http://geeksilverblog.com
Did you actually initialize and set your fastpass target? The only reason you would see this error:
"https://localhost/sdk/webService': Connection refused"
is that the script is trying to connect locally which is not correct, as it's neither a vCenter or ESX(i) target.
To initialize the target in question which is your vCenter host, you need to do the following:
[vi-admin@tancredi ~]$ vifptarget -s reflex.primp-industries.com [vi-admin@tancredi ~][http://reflex.primp-industries.com|http://reflex.primp-industries.com]$ esxcfg-nics -l --vihost himalaya.primp-industries.com Name PCI Driver Link Speed Duplex MAC Address MTU Description vmnic0 06:00.0 e1000e Up 1000Mbps Full 00:30:48:d9:58:6a 1500 Intel Corporation 82574L Gigabit Network Connection vmnic1 07:00.0 e1000e Down 0Mbps Half 00:30:48:d9:58:6b 1500 Intel Corporation 82574L Gigabit Network Connection
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Please take a look at my previous response, you are in the same boat. You did not active the fastpass target and the script by default will try to connect to localhost which is not what you want.
Also as I mentioned, to verify if you added a target successfully to vMA, you need to use "vifp listservers" and to see what authentication policy was used, you'll want to use -l flag
[vi-admin@tancredi ~]$ vifp listservers -l esx4-1.primp-industries.com ESX fpauth esxi4-3.primp-industries.com ESXi fpauth manaslu.primp-industries.com vCenter fpauth reflex.primp-industries.com vCenter adauth
It's worth while to check out the vMA documentation which provides you with all this information
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Here is a more detail post regarding fpauth & adauth - http://www.virtuallyghetto.com/2010/07/vma-41-authentication-policy-fpauth-vs.html
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
William, seriously, thanks for your help. I don't know if I'm just too dense lately or what, but I swear that VMA documentation was giving me fits. Your blog post, on the other hand, was much clearer -- thank you for that! I've subscribed to it, BTW. There's some really good stuff in there.
On to the topic at hand -- I killed the installation of VMA that I had yesterday, removed it from the domain, etc -- then I deployed a fresh copy and set it up, joined to the domain, etc.
Following your blog for the AD integration steps:
1.) Logged in as vi-admin and added the vCenter target using my AD credentials (I'm a domain admin and have full admin rights in vCenter)
2.) Verified the target was setup using adauth
3.) Opened up another Putty session and logged into VMA using my AD credentials
4.) Set the fastpass target to the newly added vCenter
5.) Did an esxcfg-nics -l --vihost esxserver (using the name of one of my primary ESX 4.0 hosts), and I was prompted for a username
After entering my username and password, the command worked, but I get prompted for username and pass for every command after that. Based on your blog, I don't believe that this is expected behavior.
The expected behavior is what is stated on my blog.
Few things to consider, ensure you do perform a reboot of your vMA host after you join the domain and before you add new targets. When you're removing the target from AD, ensure you actually delete the object from your AD server if it has not been already. Also make sure the name of the ESX(i) host, is the same name as shown in vCenter server, if you added the host using FQDN, then you need to specify FQDN to --vihost
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
hi,guys:
I'm having exact same issues as damiankarlson has. I always got prompt for username and password when I tried to run
vmware-cmd -l --vihost esxhost.domain.com
Strange enough, when I tried to add vCenter into server list, system only ask for username but not password.
$ vifp addserver vcenter.mydomain.com --authpolicy adauth
Enter username for vcenter.mydomain.com: domain\myusername
For some reason, I don't think vMA pass credential successfully since it doesn't store password for adauth in local store.
- Silver
My Vmware blog: http://geeksilverblog.com
Are you sure you followed the instructions as listed?
The reason it's not asking you for the password when you add the target using adauth is because the vMA host has been joined to the domain and if you logon with a user that has the permissions to connect to one of these adauth hosts, it will use those credentials and do a straight passthrough. Hence, you just need to use a valid AD account that has the permissions to connect to your vCenter. Then you will just login to vMA authenticating with that user, then set the proper target and you should be able to run the command as I've shown in my blog post and you will not be prompted for additional credentials.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
hi, William:
Yes, I am using domain admin account to log in to vMA without issue. Then, I tried to run command against one of hosts. Regardless you are using fpauth or adauth to access vCenter, I always end with prompt username and password. Once I pass this authentication for vCenter, I do can get host information.
Unless there was issue when I joined vMA to domain. As you can see from previous post, there are few warnings before SUCCESS. Are those warning related?
Thanks a lot, William
- Silver
My Vmware blog: http://geeksilverblog.com
If you read my blog carefully, you'll notice that I've demonstrated both fpath and adauth and adauth works as expected for me. I would recommend that you remove your vMA host from your AD host and ensure it's been deleted and start over and ensure you follow all the necessary steps. Note in my example, I use "Administrator" to join vMA to my AD domain and used "primp" which is a valid user that is allowed to connect to our vCenter.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
hi, Guys:
I got Vmware support on the phone. After chatting with them, I believe "everytime you use --vihost, you are required to type in username and password".
That explains a lot.
If you want to really use AD authentication, you need to join vCenter (of course) and ESX(i) into domain.
Then, you need to target the right server and if all servers joined the domain, you should be able to run the command.
That's on theory. I'm still testing it.
- Silver
My Vmware blog: http://geeksilverblog.com
If you want to really use AD authentication, you need to join vCenter (of course) and ESX(i) into domain.
Yes, that's the whole point. I assumed your vCenter is part of your AD domain. You ESX(i) host don't have to, unless you plan on AD passthrough to the host individually, then in that case, you'll need to have them joined AD.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".