VMware Cloud Community
esiebert7625
Immortal
Immortal
‎06-06-2007 02:32 PM
Jump to solution

Service Console accounts/PAM authentication

I'm setting up PAM authentication on one of our servers, when I go to do the useradd in the Service Console I get the error message "invalid user name". Our AD user accounts are all numbers, ie. 123456, my guess is Linux does not allow this. Is there any other way to map a user account from Linux to AD for PAM to work?

0 Kudos
1 Solution

Accepted Solutions
sbeaver
Leadership
Leadership
‎06-26-2007 07:20 AM
Jump to solution

Eric,

If you are connecting to AD then do not specify a specific DC or Server. Just specify the domain

o esxcfg-auth -–enablead -–addomain=addomain.com -–addc=addomain.com -–krb5realm=addomain.com –-krb5kdc= addomain.com –-krb5adminserver=addomain.com

DNS will point the ESX server to the correct place

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**

View solution in original post

0 Kudos
9 Replies
Texiwill
Leadership
Leadership
‎06-06-2007 04:54 PM
Jump to solution

Hello,

You are correct, useradd does not like accounts that start with numbers, however it is possible to use them once they are in the system. What steps are you using to integrate AD and ESX together?

Did you use:

esxcfg-auth --enablead --addomain=DOMAIN --addc=CONTROLLER

If you just do the above then that is only part of the full answer.

Where do the users home directories live? Are ACLs involved? Have you added the host as a Domain client, etc.? In general, for any remote authentication scheme, Linux often have to exist, there are ways around that as well.

Best regards,

Edward

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
esiebert7625
Immortal
Immortal
‎06-06-2007 05:06 PM
Jump to solution

Thanks for the reply, I have PAM authentication configured and working on ESX, I created a test account without all numbers for this. The problem is I simply can't create a Linux user to match my AD user accounts since they are all numbers. I even tried creating a user with useradd then editing the passwd file with the all number username with no success, I documented the procedure below as I did it...

• Login to service console

• If you’re adding a user that does not exist in the Service Console you must first add it. Linux user accounts are stored in the etc/passwd file, you can open this file with Nano to see all the accounts that are created. Alternately you can load the VI client and connect directly to the ESX server and click the Users & Groups tab to see user accounts.

• To add a account type “useradd ” The username must match the samaccountname of the AD user. Alternately you can add the user using the VI client by clicking “Add” in the Users view.

• Next you need to enable PAM authentication in ESX, you use the esxcfg-auth command for this like below:

o esxcfg-auth -–enablead -–addomain=addomain.com -–addc=dcname.addomain.com -–krb5realm=addomain.com –-krb5kdc= dcname.addomain.com –-krb5adminserver= dcname.addomain.com

o “–-enablead” enables Active Directory authentication

o “—addomain” sets the Active Directory domain

o “--addc” sets the Active Directory domain controller, use this multiple times to add domain controllers for redundancy

o “—krb5realm” sets the Kerberos realm (AD domain)

o “—krb5kdc” sets the Kerberos Key Distribution Center (Domain Controller)

o “—krb5adminserver” sets the Kerberos Admin Server (Domain Controller)

• This takes effect immediately, log back in to the console and you should be able to use your AD password for that account. If you run into difficulty you can check the /var/log/messages file for errors. Also ensure that your ESX server can resolve the FQDN of the AD server you entered above.

• If you plan on logging in using the VI client directly to the ESX server you will first need to click on the Permissions tab in the VI Client and add a permission for the user.

• If you wish to disable this type “esxcfg-auth –-disablead”. Esxcfg-auth writes the configuration information to various files including /etc/krb5.conf

0 Kudos
esiebert7625
Immortal
Immortal
‎06-11-2007 07:15 AM
Jump to solution

Is it possible to modify the kerberos config on the service console to not use the samaacountname field in AD and instead use a alternate field?

0 Kudos
Texiwill
Leadership
Leadership
‎06-11-2007 08:02 AM
Jump to solution

Hello,

Well, that is not how I integrate AD and Linux together. The esxcfg-auth is just the first step I find. You can actually setup a different way to integrate that does not require 'local' accounts and I think that is what you really want. Yes? In that case you also need samba and a few other configuration settings.

I have a recipe well documented for Fedroa Core, SLES, and RHEL3/4/5, but not yet for ESX. I will play with it some and tweak it for ESX. If you want the recipe please email me privately at elh at astroarch dot com. As I rather not post something that is not ESX specific here. It is on my short list to tweak anyways for a different project.

Best regards,

Edward

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
doubleH
Expert
Expert
‎06-11-2007 08:28 AM
Jump to solution

there was a good presentation from vmworld 2006 i believe. i'm having trouble locating it, but will post the link when i find it.

If you found this or any other post helpful please consider the use of the Helpfull/Correct buttons to award points
0 Kudos
esiebert7625
Immortal
Immortal
‎06-11-2007 09:41 AM
Jump to solution

Thanks, there's another I found also from TSX...

ESX Console Security - http://www.vmware-tsx.com/download.php?asset_id=37

0 Kudos
Texiwill
Leadership
Leadership
‎06-11-2007 04:06 PM
Jump to solution

Hello,

Great presentation, that is exactly what I do when I integrate Linux (Service Console) and AD. Do note that the pam_access module is very important otherwise everyone will have access to the ESX Service Console.

If you do not pre-create home directories and do not use pam_mkhomedir then the user will be placed in "/" with no permissions to access anything except /tmp or anything else that is world-writable.

Unfortunatley, esxcfg-auth just does not do all this.

Best regards,

Edward

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
sbeaver
Leadership
Leadership
‎06-26-2007 07:20 AM
Jump to solution

Eric,

If you are connecting to AD then do not specify a specific DC or Server. Just specify the domain

o esxcfg-auth -–enablead -–addomain=addomain.com -–addc=addomain.com -–krb5realm=addomain.com –-krb5kdc= addomain.com –-krb5adminserver=addomain.com

DNS will point the ESX server to the correct place

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**
0 Kudos
wamatha
Contributor
Contributor
‎04-24-2009 12:14 PM
Jump to solution

I tried this but still the same problem

Apr 24 11:28:51 esx sshd[14899]: pam_krb5: authenticate error: ASN.1 encoding ended unexpectedly (1859794437)

Apr 24 11:28:51 esx sshd[14899]: pam_krb5: authentication fails for `xxx'

I have 25 servers that am getting the same error

0 Kudos