Although much of the administration of servers running VMware ESX Server 3.0 will occur in the Windows-based Virtual Infrastructure client connected to a VirtualCenter server, there are times when it is quicker or easier to perform an administrative task directly on the ESX Server itself—either via the command-line interface (CLI) or via the VI client authenticating directly against the ESX Server. The problem with this is that, by default, administrators will have to use different credentials when connecting the VI client to ESX Server directly. In addition, these credentials must be managed separately from Active Directory, and separately on each individual ESX Server. As the number of ESX Servers in a farm grows, this can quickly become an administrative nightmare.
Fortunately, we can fairly easily integrate ESX authentication into Active Directory, so that the same account used in VirtualCenter is also used when logging in to the ESX Server directly. While VMware took the step of automating a portion of this process for us in the esxcfg-auth command, it only takes us part of the way.
Let’s take a look at what part esxcfg-auth does accomplish for us, then look at how to accomplish the rest of the task.
Using esxcfg-auth
The esxcfg-auth command will help automate a good portion of the work required to integrate ESX Server into Active Directory; specifically, it will automate the Kerberos configuration. To use esxcfg-auth to enable AD authentication, use the following command (lines are wrapped for readability; the backslash indicates line continuation):
esxcfg-auth --enablead --addomain=example.com \\
--addc=dc1.example.com
Obviously, you’ll want to substitute the appropriate values for “example.com” and “dc1.example.com” on the command above. So what does this command do, exactly? Here’s the breakdown:
- Modifies the /etc/krb5.conf file to use example.com as the default Kerberos realm, and to use dc1.example.com as a KDC for that realm. In this same file, the domain “example.com” is mapped to the realm “EXAMPLE.COM” (keep in mind Kerberos realms are always specified in UPPERCASE).
- The /etc/pam.d/system-auth file is modified to use pam_krb5.so for Kerberos authentication.
What does this command not do? Well, for one it doesn’t configure the ESX Server for anything other than pure authentication. This means that although users will be forced to authenticate against Active Directory, ESX Server still expects to find the accounts defined in the local /etc/passwd file. This means that password management is centralized, but account management is still decentralized. (Some might see this as a security advantage, in that we must manually define an account in order to allow that account to log in to that server.)
To fully centralize account management, we’ll need to step outside of the esxcfg-auth framework and get our hands dirty. Ready?
Finishing esxcfg-auth’s Work
To fully round out the authentication/account management configuration, Active Directory will have to be made aware of some UNIX-specific attributes. This means extending the schema. If you are running Windows 2000 or Windows Server 2003 pre-R2, this means installing Services for UNIX (SfU) 3.5; for Windows Server 2003 R2 or later, this means installing Identity Management for UNIX.
I’ll refer you to this article for Windows 2003 and Windows Server 2003 pre-R2 and this article for Windows Server 2003 R2 or later for more information. (Because the ESX Server service console is based on Red Hat Enterprise Linux, these Linux-AD integration guides are very applicable here.)
Once Active Directory has been configured, the only tasks left for us to do are 1) to configure the nss_ldap libraries; 2) to configure /etc/nsswitch.conf to enable LDAP for naming services; and 3) verify time synchronization.
To configure the nss_ldap libraries, you’ll need to modify the /etc/ldap.conf file as described in Step 5 of the “Prepare Each Linux Server” section of this article (assuming you are using Windows Server 2003 R2). This sets up the connection to Active Directory via LDAP and configures the attribute maps accordingly.
Please note that you’ll need to create an account in Active Directory (a Domain Guest is fine) that the nss_ldap libraries may use for LDAP queries. You’ll specify that account information when configuring /etc/ldap.conf.
Next, you’ll need to configure /etc/nsswitch.conf. You only need to modify the passwd, group, and shadow lines, and you only need to add “ldap” at the end of the lines. The lines will end up looking something like this:
group: files ldap
passwd: files ldap
shadow: files ldap
At this point, you should be able to test the nss_ldap configuration. Run “getent passwd <AD user account>” and you should get back information about that account’s home directory, login shell, UID, and name. If you don’t get back any information, go back and double-check your configuration.
To verify time synchronization, have a look at the NTP configuration found in /etc/ntp.conf. Make the changes you need here to be sure that both Active Directory (the forest root PDC emulator, specifically) and ESX Server are both synchronizing time and will stay in sync. Otherwise, the Kerberos authentication process will fail. Keep in mind that you may need to adjust the Service Console firewall using esxcfg-firewall in order to allow the appropriate traffic outbound. (Thanks to KentA for reminding me about this step!)
Once “getent passwd” is working as expected and time is in sync, then you should be able to SSH into the ESX Server with any appropriately configured AD account (i.e., any AD account that has the “UNIX Attributes” tab completed with valid information). This gives you a similar level of control over who is allowed to login and who isn’t; accounts that don’t have any UNIX attributes won’t be able to authenticate and gain access to the ESX Servers.
In addition, you should be able to configure some level of access control as described here.
Summary
To summarize, the process for integrating ESX Server into Active Directory looks like this:
- Use esxcfg-auth to set up the Kerberos authentication.
- Extend the AD schema (if necessary) to include UNIX attributes such as login shell, UNIX home directory, UID, UID number, etc. This is accomplished in different ways depending upon the version of Windows in use.
- Populate the UNIX attributes for those user accounts that should be allowed to access the ESX Server(s).
- Configure /etc/ldap.conf on the ESX Server to configure LDAP connectivity back to Active Directory for name service lookups.
- Configure /etc/nsswitch.conf to use LDAP for name service lookups.
- Verify (and configure, if needed) time synchronization via NTP on the ESX Server.
- Test the configuration using “getent passwd” or “getent group” or both.
This configuration will centralize not only authentication for the ESX Servers but will also centralize account management in Active Directory as well.
Please feel free to add any corrections or suggestions for improvement in the comments below. Thanks!
Tags: ActiveDirectory, ESX, Interoperability, Kerberos, LDAP, SSH, Virtualization, VMware
-
Hi, Scott. We’ve actually used esxcfg-auth like this:
esxcfg-auth –enablead –addomain=example.com –addc=example.com
which appears to use a DNS lookup for the required Active Directory SRV Records to find a domain controller.
what this buys you, too, is failover. If the first DC isn’t avialable, it authenticates against the next. Don’t ask me why/how it works….i read it in a VMWare forums post a while ago and it just does!
-
It works because every AD domain’s DNS zone has A records for the zone name itself (i.e., the AD domain name) for each DC. Therefore, when you specify the domain name as a DC name on the esxcfg-auth command line, ESX server will do a lookup for the domain name and will get back a list of A records that correspond to the DCs.
I don’t know if esxcfg-auth will let you use multiple “–addc=” parameters, but I do know that /etc/krb5.conf (the file that is being modified by this command) will let you manually specify multiple domain controllers as Kerberos KDCs.
Thanks for the comment!
-
Just a reminder to ensure NTPD gets configured to synchronize with the same source as the AD PDC Emulator. Otherwise the Kerberos traffic might get denied.
-
Kent,
Yes–great tip! I need to revise the article to include that information.
-
I have done everything written here, but I cant get it working. The odd thing is that getent group will return the my Unix enabled groups but the getent passwd will only return the local users … Any ideas ?
-
TomA,
It sounds like one of two things: either your users have not been assigned UNIX attributes (UID, GID, home directory, login shell–all done from the UNIX Attributes tab of Active Directory Users and Computers) or your /etc/nsswitch.conf file is incorrect. Your LDAP configuration sounds correct, since “getent group” works, so double-check that you have UNIX-enabled some user accounts and verify the contents of your /etc/nsswitch.conf.
Good luck!
-
the /etc/nsswitch.conf has been filled in correctly as well have I enabled a few accounts in AD by giving them a UID/GID/Home folder/Shell… Just to confirm it is not neccesary for the esx server to have comp. account into the AD. ?
-
TomA,
Check the logs on the ESX server, and (if you want) send me copies of your krb5.conf, ldap.conf, nsswitch.conf, and system-auth via e-mail to scott dot lowe at scottlowe dot org.
-
Ive noticed that unless the user account has a windows homedir specified (even if it has a UNIX homedir), getent passwd will fail for the user account. very odd
-
Mark,
I’ll have to look into that and see if I can reproduce that behavior. Thanks for the tip!
-
Thanks for the documentation! I’m also trying to restrict access based on AD group membership. I’ve added the pam_ldap.so line at the top of system-auth and updated the ldap.conf with the pam_groupdn and pam_member lines. When I log in as a user that’s not in my group, it displays the you must be a member of this group to log in but still allows the user to log in. Do you have any suggestions?
-
Scott G,
Check to see if you have a pam_deny.so in the listing somewhere that will deny the listing if nothing else satisfies it. If not, that might be why the login is allowed.
You’re welcome to e-mail me your system-auth if you’d like, although don’t be dismayed if I don’t get back to you right away (I get a fair volume mail, and sometimes it takes a bit to respond).
Thanks!
-
I’ve received verification from VMware tech support that the UsePAM option is unsupported in their implementation of sshd on ESX 3.x. Restricting authentication based on AD group membership does not appear to be feasible.
-
Has this improved with ESX 3.5?
-
Hi scott,
I got kerberos auth to work by matching local and AD accountname, and getent to work following the steps.
but it failed when putting all together.
Please help!log showed: “sshd[pam_unix]:check pass; user unknown”, “sshd[pam_unix]:authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=xxx.yy.com”, “sshd:pam_krb5: unable to determine uid/gid for user”, “sshd:pam_krb5:authentication fails for hok”
-
Hok,
Judging from those log entries, it looks as if UID/GID resolution is not working. This generally indicates a problem with the LDAP configuration, which would typically show itself as a problem using “getent passwd” on an Active Directory username. Make sure that you can properly get UID/GID information for Active Directory accounts using either “id” or “getent passwd”.
HTH!
-
Hi Scot,
Both “id” and “getent passwd” are showing correct uid and gid from AD.
but it just keep repeating the same error when ssh. -
Hok,
You did modify /etc/nsswitch.conf to use LDAP for UID/GID lookup, right? And you didn’t run esxcfg-auth again after configuring the stuff the first time?
-
that is correct. /etc/nsswitch.conf was modified to include ldap for line item: group,passwd and shadow.
esxcfg-auth was not run after manual editing. -
Hok,
Send me your /etc/pam.d/system-auth, your /etc/ldap.conf, your /etc/nsswitch.conf, and your /etc/krb5.conf via e-mail. I’ll have a look at them and see if I can figure out what might be misconfigured.
-
Hi Scott,
I’m really struggling to get this working at all.
I’ve been through all the documents many times but can’t get anything back from “getent passwd user”
I’ve checked my krb5.conf, ldap.conf, nsswitch.conf files several times but can’t see what I’m missing. is there anything else i can try?
thanks
-
Paul,
You do have UNIX-enabled users in AD, right? I gloss over the details of configuring AD in this article, referring you instead to other articles I’ve written that have the full details. Be sure that you have extended the AD schema (if needed) and that users have been given a UID, GID, home directory, and login shell.
Also, you may need to double-check the ESX firewall using esxcfg-firewall to ensure that LDAP traffic is allowed out the firewall.
Hope this helps!
-
Hi Scott,
Thanks for the reply – it was my firewall config! I was so focused on the more copmplicated issue of getting my .conf files right I missed the simpler option!
thanks a lot for your help!
Paul
-
if I type “getent passwd” I get a list of all accounts, including unix enabled AD accounts. It I type “getent passwd user” I get nothing.
-
Hi,
It is not really necessary to use Kerberos authentication to authenticate against a Windows Domain (Controller). Yes, it is a secure protocol, but when you logon to your service console, you will use ssh, which by itself is pretty secure. You also dont have to worry about your ESX server not syncing your time correctly when just using LDAP without Kerberos.
Nevertheless, we are using just the LDAP configuration to authenticate users against the domain controller on the service console. This is how we set it up:
On ESX:
=======================================================esxcfg-auth –enableldap –enableldapauth –ldapserver –ldapbasedn “ou=,dc=,dc=,dc=”
vi the /etc/ldap.conf and add specific attributes (these are from Services for Unix on Windows 2003, different attributes are used on Windows 2003 R2 Identidy for UNIX) :
nss_base_group ou=,dc=,dc=,dc=?sub
nss_base_passwd ou=,dc=,dc=,dc=?sub
nss_base_shadow ou=,dc=,dc=,dc=?sub
nss_map_attribute cn sAMAccountName
nss_map_attribute gecos name
nss_map_attribute uid sAMAccountName
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute userPassword msSFU30Password
nss_map_attribute uniqueMember member
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_objectclass posixAccount User
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_password adYou can also add a bind user if not using anonymous access to query your domain. Add this to the /etc/ldap.conf:
binddn CN=,ou=,dc=,dc=,dc=
bindpwAnd then add the ldap to the /etc/nsswitch.conf:
group: files ldap
passwd: files ldap
shadow: files ldapNo restarts are necessary.
We have had some strange issues when using a Domain Controller as a host for ldap, instead of the domain. When using DC’s virtual and they are located on that specific ESX server, the DC that is configured as HOST freezes when you stop the service mgmt-vmware and start it again (or restart). Even more you cannot even connect to your ESX server, unless you disconnect it from VC, which takes about 5-10 minutes). After that it comes up again…
Anybody knows why such behaviour can occur?
Ruub
-
Hi Scott,
Thanks for this web site and these great tips! About The AD Authentication Procedure…
Does this work for both SSH and VIC logins? Can you configure which users can SSH and which can use VIC?
Also,
Might it be possible to configure ESXI for AD authentication too? SSH and / or VIC would be needed too.
Thanks!
I b e n
-
Iben,
The AD integration only handles logins to the Service Console. Logins via the VI Client are handled by the Windows infrastructure underneath vCenter Server, which use either local Windows server accounts or Active Directory user accounts.
I am not aware of a way to do the same thing with ESXi, since there is no Service Console per se that needs to be handled. CLI access to ESXi is handled via the Remote CLI appliance or VIMA, so it might be possible to configure those but I have not tested it.
-
Hi Scott,
I have carefully followed your terrific instruction set but when I try GETENT on a AD domain account I get nothing back. I have validated that I believe I set things up. What tips to aid in troubleshooting this?
Steve
-
Hi Scott,
You mentioned in your book on page 571 that there might be a version of
Linux-based version of vCenter Server. I still can’t find much information on this. Do you have any inside information as to how this is progressing?Chakrit
-
Chakrit,
I do not have any updated information on a potential Linux-based version of vCenter Server. As soon as more information is available, I will be sure to let you know!
Scott
-
There is a tech preview thats been around for a while but thats it…
Site Sponsors
31 comments
Comments feed for this article
Trackback link: http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/trackback/