AD authentication integration and SSH access

Buck1967 · ‎03-27-2011

I'm currently running about 200 4.0 ESX host in our infrastucture. I had a configuration in our build script that enabled AD authentication.

"esxcfg-auth --enablead --addomain=my.domain.net --addc=ADserver001.my.domain.net --addc=ADserver002.my.domain.net -- addc=ADserver003.my.domain.net --addc=ADserver004.my.domain.net"

I'm trying to do the Integrated AD authentication with the 4.1 and getting some odd results.As you can see in the script above I specificlly add in 4 DCs for authentication. I don't see an option for that in the 4.1 implementation. and the "enableAD" is no longer an option. After the join and I can sometimes authenticate via SSH and sometime the request time out.Even when I authenticate, it seems to take awhile to do so. I tried to place the ESX Console network in the Sites and Services within the domain but that hasn't corrected the issue either. I have about 40 DCs in the domain accross the world so I need to be able to controll which DCs are used to autheticate against. Access via the VI client through vCenter some to me fine.

Anyone have any insight here. I have opened up a case with vmware, but I've been play phone tag.

lamw · ‎03-27-2011

I believe the local esxcfg-auth has been deprecated for Active Directory configuration, with the release of vSphere 4.1, a new mechenism is used to configure AD for your host utilizing open source Likewise Open product which is built in natively into ESX and ESXi.

You have several ways of configuring AD authentication on your host:

Manually through the vSphere Client, here's a post on that - http://technodrone.blogspot.com/2010/07/esxi-41-active-directory-integration.html
vCenter Host Profiles as part of a post-configuration
Remotely using vCLI and new esxcfg-authconfig
Remotely using PowerCLI, here's a post on that - http://www.lucd.info/2010/07/25/script-vsphere-4-1-ad-authentication/
Unsupported method via kicktart as VMware does not provide this functionality natively through local CLI on ESX(i) - http://www.virtuallyghetto.com/2011/02/automating-active-directory-domain-join.html

Buck1967 · ‎03-27-2011

Good information, but the root of the issue is "ssh access after the join".

Sometimes it works, sometimes it just times out, or gives access denied.

It would be easier to troubleshoot it was more consistent!!!

lamw · ‎03-27-2011

Have you taken a look at /var/log/secure and what's being logged when you're getting access denied? Is this for the root user account or users in AD? Can you also take a look to see what /etc/security/access.conf states? I've had a recent issue when using other directory services in which it denies access to all users outside of the default, this was a change with 4.1 which I'm still waiting to hear back from VMware.

All

AD authentication integration and SSH access