baeke.info :: Active Directory integration and ESX 3.0

About

You arrived at the weblog of Geert Baeke. I am the technology manager for a company called Xylos (Belgium). I mostly work with Microsoft technologies such as Windows, Active Directory, Exchange, Sharepoint, MSCS, and more. I am also actively busy with VMware's products, focussing on VMware ESX.

Sections

Tutorials

Twitter

follow GeertBaeke at http://twitter.com

XBOX 360

RSS Newsfeeds

Main Page RSS

Virtual Machines RSS

Main Page » Technologies » Virtual Machines

Previous:	SSH authentication with a key pair
Next:	VMware Converter Beta

Active Directory integration and ESX 3.0

by rastix on Fri 13 Oct 2006 09:20 PM CEST | Permanent Link | Cosmos

Integrating ESX 3.0 with Active Directory is often requested by customers where we implement ESX. At the moment, I am doing an ESX implementation at one of our larger customers and of course, AD integration is part of the project. Naturally, they will use VirtualCenter 2.0 most of the time, but at times they will need to connect to individual ESX servers using VI Client, ssh or web access. In that case, they want to use their AD account and password.

VMware recently published a small whitepaper about Active Directory integration. With ESX 3.0, the process is very straightforward and only requires one command:

esxcfg-auth --enablead --addomain=domain.com --addc=domain.com

The VMware document uses the FQDN of a domain controller for the --addc parameter, but you can use the FQDN of the domain. That way, DNS is used to find domain controllers and use one of those. The command above modifies a few files like /etc/krb5.conf and also the system-auth file in /etc/pam.d. The ESX firewall is also automatically configured to open the needed ports for AD authentication.

Before you can logon with an AD account, you need to create a console user on the ESX box that has the same name as your AD account. For example, if you have an AD account domain\esxadmin, you need to add a user to the ESX console called esxadmin. The command to use is useradd esxadmin. You can also use VI Client to create the user. You can now logon with the account and use the AD password. I tested this with ESX 3.0.1 servers against Windows 2000 and Windows 2003 domains and it worked as advertised.

A couple of other things to think of:

If you create a user in AD with account name root, you can logon as root with its AD password.
If you don't want AD authentication for root, you can edit /etc/pam.d/system-auth. On the line that starts with auth and also includes pam_krb5.so, add this to the end: minimum_uid=1. Authentication for root (uid=0) will now be done locally only.
If you want the AD user to have the same rights as root, you can set the user's UID to 0 (usermod -u 0 -c username). Of course, if you have used minimum_uid, that won't work.
Alternatively, use sudoers to allow users to use sudo to execute specific tasks as root.

If you want administrators to use their AD account to connect to ESX with the VI Client or web access, you need to configure that with VI Client first. Start VI Client and connect to the ESX server as root. Use CTRL-P to add a permission at the server level. For example, to grant the user all rights, give the user the Administrator role (see below). That user will then be able to logon with his/her AD account and password in both VI Client and web access.

There are some issues with AD integration when done this way:

When you configure the AD account to change its password the next logon, you will get a warning in the ESX console but you can still logon. That should not happen.
If you do change your password with the passwd command, you change it locally only.

To get around some of these issues, you can use a product such as Centrify DirectControl for ESX. DirectControl has deeper integration with Active Directory and many more features:

An AD computer account is created for your ESX servers.
Active Directory Group Policies can be used to push down policies to ESX computer objects.
When you create a new user in AD, you can directly create a user account on your ESX machines and set properties such as the home directory.
Active Directory Group Policies can be applied to users that logon to ESX. For example, you can push down sudo configuration using a group policy.
When a password expires or you set the change at next logon flag, you need to change the password in the ESX console. When you change your password, it is the AD password that you change, not the local password.
When a user uses passwd, the AD password is modified and not the local password.
Using group policies, you can configure logon banners.
You can install a modified SSH daemon that is "kerberized". With Centrify's modified putty client, you can use ssh to logon without retyping your AD password.

We are in the process of evaluating DirectControl and it is very easy to deploy and work with. Pricing is reasonable and the product supports ESX 3.0.x.

Posted to:

Virtual Machines

Comments