I'm setting up PAM authentication on one of our servers, when I go to do the useradd in the Service Console I get the error message "invalid user name". Our AD user accounts are all numbers, ie. 123456, my guess is Linux does not allow this. Is there any other way to map a user account from Linux to AD for PAM to work?
Eric,
If you are connecting to AD then do not specify a specific DC or Server. Just specify the domain
o esxcfg-auth -enablead -addomain=addomain.com -addc=addomain.com -krb5realm=addomain.com -krb5kdc= addomain.com -krb5adminserver=addomain.com
DNS will point the ESX server to the correct place
Hello,
You are correct, useradd does not like accounts that start with numbers, however it is possible to use them once they are in the system. What steps are you using to integrate AD and ESX together?
Did you use:
esxcfg-auth --enablead --addomain=DOMAIN --addc=CONTROLLER
If you just do the above then that is only part of the full answer.
Where do the users home directories live? Are ACLs involved? Have you added the host as a Domain client, etc.? In general, for any remote authentication scheme, Linux often have to exist, there are ways around that as well.
Best regards,
Edward
Thanks for the reply, I have PAM authentication configured and working on ESX, I created a test account without all numbers for this. The problem is I simply can't create a Linux user to match my AD user accounts since they are all numbers. I even tried creating a user with useradd then editing the passwd file with the all number username with no success, I documented the procedure below as I did it...
Login to service console
If youre adding a user that does not exist in the Service Console you must first add it. Linux user accounts are stored in the etc/passwd file, you can open this file with Nano to see all the accounts that are created. Alternately you can load the VI client and connect directly to the ESX server and click the Users & Groups tab to see user accounts.
To add a account type useradd The username must match the samaccountname of the AD user. Alternately you can add the user using the VI client by clicking Add in the Users view.
Next you need to enable PAM authentication in ESX, you use the esxcfg-auth command for this like below:
o esxcfg-auth -enablead -addomain=addomain.com -addc=dcname.addomain.com -krb5realm=addomain.com -krb5kdc= dcname.addomain.com -krb5adminserver= dcname.addomain.com
o -enablead enables Active Directory authentication
o addomain sets the Active Directory domain
o --addc sets the Active Directory domain controller, use this multiple times to add domain controllers for redundancy
o krb5realm sets the Kerberos realm (AD domain)
o krb5kdc sets the Kerberos Key Distribution Center (Domain Controller)
o krb5adminserver sets the Kerberos Admin Server (Domain Controller)
This takes effect immediately, log back in to the console and you should be able to use your AD password for that account. If you run into difficulty you can check the /var/log/messages file for errors. Also ensure that your ESX server can resolve the FQDN of the AD server you entered above.
If you plan on logging in using the VI client directly to the ESX server you will first need to click on the Permissions tab in the VI Client and add a permission for the user.
If you wish to disable this type esxcfg-auth -disablead. Esxcfg-auth writes the configuration information to various files including /etc/krb5.conf
Is it possible to modify the kerberos config on the service console to not use the samaacountname field in AD and instead use a alternate field?
Hello,
Well, that is not how I integrate AD and Linux together. The esxcfg-auth is just the first step I find. You can actually setup a different way to integrate that does not require 'local' accounts and I think that is what you really want. Yes? In that case you also need samba and a few other configuration settings.
I have a recipe well documented for Fedroa Core, SLES, and RHEL3/4/5, but not yet for ESX. I will play with it some and tweak it for ESX. If you want the recipe please email me privately at elh at astroarch dot com. As I rather not post something that is not ESX specific here. It is on my short list to tweak anyways for a different project.
Best regards,
Edward
there was a good presentation from vmworld 2006 i believe. i'm having trouble locating it, but will post the link when i find it.
Thanks, there's another I found also from TSX...
ESX Console Security - http://www.vmware-tsx.com/download.php?asset_id=37
Hello,
Great presentation, that is exactly what I do when I integrate Linux (Service Console) and AD. Do note that the pam_access module is very important otherwise everyone will have access to the ESX Service Console.
If you do not pre-create home directories and do not use pam_mkhomedir then the user will be placed in "/" with no permissions to access anything except /tmp or anything else that is world-writable.
Unfortunatley, esxcfg-auth just does not do all this.
Best regards,
Edward
Eric,
If you are connecting to AD then do not specify a specific DC or Server. Just specify the domain
o esxcfg-auth -enablead -addomain=addomain.com -addc=addomain.com -krb5realm=addomain.com -krb5kdc= addomain.com -krb5adminserver=addomain.com
DNS will point the ESX server to the correct place
I tried this but still the same problem
Apr 24 11:28:51 esx sshd[14899]: pam_krb5: authenticate error: ASN.1 encoding ended unexpectedly (1859794437)
Apr 24 11:28:51 esx sshd[14899]: pam_krb5: authentication fails for `xxx'
I have 25 servers that am getting the same error