I have carefully followed your terrific instruction set but when I try GETENT on a AD domain account I get nothing back. I have validated that I believe I set things up. What tips to aid in troubleshooting this?

Steve

The AD integration only handles logins to the Service Console. Logins via the VI Client are handled by the Windows infrastructure underneath vCenter Server, which use either local Windows server accounts or Active Directory user accounts.

I am not aware of a way to do the same thing with ESXi, since there is no Service Console per se that needs to be handled. CLI access to ESXi is handled via the Remote CLI appliance or VIMA, so it might be possible to configure those but I have not tested it.

Thanks for this web site and these great tips! About The AD Authentication Procedure…

Does this work for both SSH and VIC logins? Can you configure which users can SSH and which can use VIC?

Also,

Might it be possible to configure ESXI for AD authentication too? SSH and / or VIC would be needed too.

Thanks!

I b e n

It is not really necessary to use Kerberos authentication to authenticate against a Windows Domain (Controller). Yes, it is a secure protocol, but when you logon to your service console, you will use ssh, which by itself is pretty secure. You also dont have to worry about your ESX server not syncing your time correctly when just using LDAP without Kerberos.

Nevertheless, we are using just the LDAP configuration to authenticate users against the domain controller on the service console. This is how we set it up:

On ESX:
=======================================================

esxcfg-auth –enableldap –enableldapauth –ldapserver –ldapbasedn “ou=,dc=,dc=,dc=”

vi the /etc/ldap.conf and add specific attributes (these are from Services for Unix on Windows 2003, different attributes are used on Windows 2003 R2 Identidy for UNIX) :

nss_base_group ou=,dc=,dc=,dc=?sub
nss_base_passwd ou=,dc=,dc=,dc=?sub
nss_base_shadow ou=,dc=,dc=,dc=?sub
nss_map_attribute cn sAMAccountName
nss_map_attribute gecos name
nss_map_attribute uid sAMAccountName
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute userPassword msSFU30Password
nss_map_attribute uniqueMember member
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_objectclass posixAccount User
pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_password ad

You can also add a bind user if not using anonymous access to query your domain. Add this to the /etc/ldap.conf:

binddn CN=,ou=,dc=,dc=,dc=
bindpw

And then add the ldap to the /etc/nsswitch.conf:

group: files ldap
passwd: files ldap
shadow: files ldap

No restarts are necessary.

We have had some strange issues when using a Domain Controller as a host for ldap, instead of the domain. When using DC’s virtual and they are located on that specific ESX server, the DC that is configured as HOST freezes when you stop the service mgmt-vmware and start it again (or restart). Even more you cannot even connect to your ESX server, unless you disconnect it from VC, which takes about 5-10 minutes). After that it comes up again…

Anybody knows why such behaviour can occur?

Ruub

Thanks for the reply - it was my firewall config! I was so focused on the more copmplicated issue of getting my .conf files right I missed the simpler option!

thanks a lot for your help!

Paul

You do have UNIX-enabled users in AD, right? I gloss over the details of configuring AD in this article, referring you instead to other articles I’ve written that have the full details. Be sure that you have extended the AD schema (if needed) and that users have been given a UID, GID, home directory, and login shell.

Also, you may need to double-check the ESX firewall using esxcfg-firewall to ensure that LDAP traffic is allowed out the firewall.

Hope this helps!

I’m really struggling to get this working at all.

I’ve been through all the documents many times but can’t get anything back from “getent passwd user”

I’ve checked my krb5.conf, ldap.conf, nsswitch.conf files several times but can’t see what I’m missing. is there anything else i can try?

thanks

Send me your /etc/pam.d/system-auth, your /etc/ldap.conf, your /etc/nsswitch.conf, and your /etc/krb5.conf via e-mail. I’ll have a look at them and see if I can figure out what might be misconfigured.