Comments on: ESX Server Integration with Active Directory http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 08 Feb 2012 17:13:47 +0000 hourly 1 http://wordpress.org/?v= By: slowe http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/comment-page-1/#comment-24264 slowe Fri, 09 Feb 2007 00:47:47 +0000 http://blog.scottlowe.org/?p=238#comment-24264 Fred, Since the ESX service console is based on Red Hat Enterprise Linux, you can use most Linux guides to LDAP authentication. You may need to install a few additional libraries on the service console, but otherwise it should be fairly straightforward. Scott Fred,

Since the ESX service console is based on Red Hat Enterprise Linux, you can use most Linux guides to LDAP authentication. You may need to install a few additional libraries on the service console, but otherwise it should be fairly straightforward.

Scott

]]> By: Fred http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/comment-page-1/#comment-24130 Fred Thu, 08 Feb 2007 15:05:12 +0000 http://blog.scottlowe.org/?p=238#comment-24130 Scott, Keberos in ESX 3.0 worked like a charm. But in our organisation, we need to use LDAP. Hove you tried that? I tried using esxcfg-auth, but it misses a lot of information like binddn, password, searchscope,etc. i´m a little lost on that and can´t found any information about LDAP configuration... :-( Scott,
Keberos in ESX 3.0 worked like a charm. But in our organisation, we need to use LDAP. Hove you tried that? I tried using esxcfg-auth, but it misses a lot of information like binddn, password, searchscope,etc.
i´m a little lost on that and can´t found any information about LDAP configuration… :-(

]]> By: Magnus http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/comment-page-1/#comment-16709 Magnus Thu, 04 Jan 2007 18:52:14 +0000 http://blog.scottlowe.org/?p=238#comment-16709 We had similar problems on our VMware servers when trying to authenticate against Active Directory. The reasons for it what I understood was that the ticket from AD was too large and the client were only talking with UDP packets which of course has a limitation. I also read on another site that ESX Server 2.1 has a limit of 15 domain global groups per user and that there was no fix out. You could disable PAC for the users, but the affects of this I don't know. Or add a special account in AD which doesn't have any group memberships. Another solution would to get a newer version of kerberos client that supports TCP packets. We have it working on other Linux/UNIX servers, but haven't tried installing newer versions on VMware. We had similar problems on our VMware servers when trying to authenticate against Active Directory. The reasons for it what I understood was that the ticket from AD was too large and the client were only talking with UDP packets which of course has a limitation. I also read on another site that ESX Server 2.1 has a limit of 15 domain global groups per user and that there was no fix out. You could disable PAC for the users, but the affects of this I don’t know. Or add a special account in AD which doesn’t have any group memberships.
Another solution would to get a newer version of kerberos client that supports TCP packets. We have it working on other Linux/UNIX servers, but haven’t tried installing newer versions on VMware.

]]> By: slowe http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/comment-page-1/#comment-3327 slowe Tue, 07 Nov 2006 11:13:08 +0000 http://blog.scottlowe.org/?p=238#comment-3327 Dave, I think you have to install some of the Kerberos pieces because they aren't installed by default. Try installing the Kerberos client libraries. I can't recall the name of the RPM that has to be installed right at the moment--let me do a bit of digging and I'll post a follow-up comment when I find some more information. Scott Dave,

I think you have to install some of the Kerberos pieces because they aren’t installed by default. Try installing the Kerberos client libraries. I can’t recall the name of the RPM that has to be installed right at the moment–let me do a bit of digging and I’ll post a follow-up comment when I find some more information.

Scott

]]> By: Dave Froberg http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/comment-page-1/#comment-3261 Dave Froberg Mon, 06 Nov 2006 14:14:53 +0000 http://blog.scottlowe.org/?p=238#comment-3261 Scott, Thank you for the reply. I tried kinit but I get: bash: kinit: command not found I dont think its a time sync issue because we issue 'ntpdate' to our AD server for time and then 'hwclock --systohc' to set the clock. Dave Scott,

Thank you for the reply. I tried kinit but I get: bash: kinit: command not found

I dont think its a time sync issue because we issue ‘ntpdate’ to our AD server for time and then ‘hwclock –systohc’ to set the clock.

Dave

]]> By: slowe http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/comment-page-1/#comment-3045 slowe Thu, 02 Nov 2006 17:56:19 +0000 http://blog.scottlowe.org/?p=238#comment-3045 Dave, Try a "kinit username" and see what response you get. It sounds like your krb5.conf may be misconfigured, or you don't have time synchronization working (Kerberos requires everything be within 5 minutes of each other). Scott Dave,

Try a “kinit username” and see what response you get. It sounds like your krb5.conf may be misconfigured, or you don’t have time synchronization working (Kerberos requires everything be within 5 minutes of each other).

Scott

]]> By: Dave Froberg http://blog.scottlowe.org/2006/05/01/esx-server-integration-with-active-directory/comment-page-1/#comment-3037 Dave Froberg Thu, 02 Nov 2006 13:37:36 +0000 http://blog.scottlowe.org/?p=238#comment-3037 Scott, Thank you for this post. I've tried the above customizations in our environment consistantly get failure messages like: vmware-authd[14203]: pam_krb5: authenticate error: KRB5 error code 52 (-1765328332) vmware-authd[14203]: pam_krb5: authentication fails for `userid' Have you seen something like that or might have an idea of what's causing it? Thanks you, Dave Scott,

Thank you for this post. I’ve tried the above customizations in our environment consistantly get failure messages like:
vmware-authd[14203]: pam_krb5: authenticate error: KRB5 error code 52 (-1765328332)
vmware-authd[14203]: pam_krb5: authentication fails for `userid’

Have you seen something like that or might have an idea of what’s causing it?

Thanks you,

Dave

]]>