Having successfully mapped out the steps for Linux/Unix-based hosts to authenticate against Active Directory on Windows Server 2003 R2 (get the complete details), I now turned my sights toward integrating authentication on ESX Server 2.5.3 with Active Directory as well.
Using instructions found in this technical white paper from VMware’s web site, I started out by modifying the /etc/krb5.conf file, which controls the operation of the Kerberos libraries in the Console Operating System (COS). The contents of the /etc/krb5.conf file should look something like this:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.NET = {
kdc = addc01.example.net:88
admin_server = addc01.example.net:749
default_domain = example.net
}
[domain_realm]
.example.net = EXAMPLE.NET
example.net = EXAMPLE.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
As you may already be aware, you can change the “dns_lookup_realm†and “dns_lookup_kdc†directives to true and omit the “[realms]†section, assuming that your Active Directory DNS infrastructure has the properly registered SRV records for the domain controllers.
The VMware white paper then instructed to modify the /var/kerberos/krb5kdc/kdc.conf file, but I had never performed any edits to that file in my earlier experiments, so I decided to forgo that step. It is my understanding that this file controls the behavior of a Key Distribution Center (KDC), which the COS is not (in this instance, the KDC is the Active Directory domain controller).
Next, I edited the vmware-authd file in /etc/pam.d, which connects the vmware-authd daemon to the PAM modules for authentication. After the edits, the /etc/pam.d/vmware-authd file looked like this:
#%PAM-1.0 auth sufficient /lib/security/pam_unix_auth.so shadow nullok auth required /lib/security/pam_krb5.so use_first_pass account required /lib/security/pam_unix_acct.so
Finally, still following the instructions, I created a user account on the ESX Server (using the useradd command there in the COS) that matched the username of an account in Active Directory. At this point, I was ready to test connectivity.
(Those of you that have read the other articles on Kerberos/LDAP integration of Linux into Active Directory will note that I did not create a computer object, use ktpass.exe to create a keytab, nor did I configure ldap.conf with the attribute mapping. I can’t explain why I don’t need a computer object or a keytab yet—rest assured I will get the bottom of that—but the LDAP pieces aren’t necessary because we are relying on the presence of the accounts locally and only using Kerberos for authentication. This has some advantages and some disadvantages, which I’ll discuss in more detail later.)
The first test (performing by trying to log into the VMware ESX Server MUI using the account created above) failed; /var/log/messages indicated a problem with host resolution. That problem was easily resolved with a quick edit of /etc/resolv.conf.
The next test also failed; again, /var/log/messages held the answer: too great of a time skew between the ESX Server and the Active Directory domain controller. The date command fixed that right up, and we were ready to test again.
The third time was the charm. Using an account that existed locally (but for which no password had been set) as well as in Active Directory, I was able to log in to the MUI using the Active Directory password. A quick test with another Active Directory account that did not have a matching local account failed (as expected), indicating that it was working as expected.
I learned a couple of useful tidbits from this experiment. First, it seems viable that organizations may wish to use Kerberos for authentication to their Linux-based hosts but not use LDAP for account information, instead requiring that local accounts exist on each system (like in this situation). This bears the advantage that the organization has more granular control over which specific Linux/Unix hosts may be used (i.e., no logins will succeed if a local account does not exist); that granularity does not exist if using LDAP for account information. However, the corresponding disadvantage of this approach is that local accounts must be managed on each separate host.
Second, I learned that a computer object (and the whole ktpass.exe command to generate the keytab) may not be necessary; I’m going to go back and perform some additional testing to see if that is the case. More information will be posted here as soon as it is available.
Tags: ActiveDirectory, ESX, Kerberos, VMware, Windows
7 comments
Thursday, November 2, 2006 at 9:37 am
Dave Froberg
Scott,
Thank you for this post. I’ve tried the above customizations in our environment consistantly get failure messages like:
vmware-authd[14203]: pam_krb5: authenticate error: KRB5 error code 52 (-1765328332)
vmware-authd[14203]: pam_krb5: authentication fails for `userid’
Have you seen something like that or might have an idea of what’s causing it?
Thanks you,
Dave
Thursday, November 2, 2006 at 1:56 pm
slowe
Dave,
Try a “kinit username” and see what response you get. It sounds like your krb5.conf may be misconfigured, or you don’t have time synchronization working (Kerberos requires everything be within 5 minutes of each other).
Scott
Monday, November 6, 2006 at 10:14 am
Dave Froberg
Scott,
Thank you for the reply. I tried kinit but I get: bash: kinit: command not found
I dont think its a time sync issue because we issue ‘ntpdate’ to our AD server for time and then ‘hwclock –systohc’ to set the clock.
Dave
Tuesday, November 7, 2006 at 7:13 am
slowe
Dave,
I think you have to install some of the Kerberos pieces because they aren’t installed by default. Try installing the Kerberos client libraries. I can’t recall the name of the RPM that has to be installed right at the moment–let me do a bit of digging and I’ll post a follow-up comment when I find some more information.
Scott
Thursday, January 4, 2007 at 1:52 pm
Magnus
We had similar problems on our VMware servers when trying to authenticate against Active Directory. The reasons for it what I understood was that the ticket from AD was too large and the client were only talking with UDP packets which of course has a limitation. I also read on another site that ESX Server 2.1 has a limit of 15 domain global groups per user and that there was no fix out. You could disable PAC for the users, but the affects of this I don’t know. Or add a special account in AD which doesn’t have any group memberships.
Another solution would to get a newer version of kerberos client that supports TCP packets. We have it working on other Linux/UNIX servers, but haven’t tried installing newer versions on VMware.
Thursday, February 8, 2007 at 10:05 am
Fred
Scott,
Keberos in ESX 3.0 worked like a charm. But in our organisation, we need to use LDAP. Hove you tried that? I tried using esxcfg-auth, but it misses a lot of information like binddn, password, searchscope,etc.
i´m a little lost on that and can´t found any information about LDAP configuration…
Thursday, February 8, 2007 at 7:47 pm
slowe
Fred,
Since the ESX service console is based on Red Hat Enterprise Linux, you can use most Linux guides to LDAP authentication. You may need to install a few additional libraries on the service console, but otherwise it should be fairly straightforward.
Scott