Sunday, September 20, 2009

VMware Login via AD

I put this together in order to integrate the login from VMWare into AD.

To setup the ESX server for AD authentication the following steps need to be taken. NTP needs to be done first so the server has a time close to that of the domain controller. The ntp ports need to be opened via the gui and the deamon needs to be started as well.

Allow the ntp client access through the firewall
In the GUI under the Configuration tab click on Security Profile then click on Properties… on the top right. A Firewall Options window will open.  Click the checkbox next to NTP Client.

Edit the ntp configuration file located at /etc/ntp.conf

Under servers add the same servers the domain uses for ntp (i.e. and
restrict default kod nomodify notrap
fudge line
server #local clock
restrict default kod nomodify notrap

Edit the steptickers file located at /etc/ntp/step-tickers
add the same servers the domain uses for ntp on separate lines

restart the ntp service:
service ntpd restart
check to make sure the time update worked (from command line)
ntpdate -q
ntpdate -q

Active Directory Authentication
Paste these lines into the CLI. The first two lines can be added via the GUI. VIC -> Configuration -> Security Profile -> Properties -> Add activeDirectorKerberos [sic] (NOT Kerberos).
esxcfg-firewall --openPort 88,tcp,out,KerberosClient
esxcfg-firewall --openPort 464,tcp,out,KerberosPasswordChange
esxcfg-auth --enablead --addomain agstar.local --addc mydc.mycdomain.blah
esxcfg-auth --enablekrb5 --krb5realm=agstar.local --krb5kdc=

Edit the VMWare Authentication deamon config located at /etc/pam.d/vmware-authd and add this line to the top:
auth sufficient /lib/security/ shadow nullok

Prevent users’ password from expiring since that is taken care of in AD.
esxcfg-auth --passmaxdays=-1

Add users using the username found in AD
adduser jdoe
adduser ymomma
adduser bdover


Now don't forgot to add the users to the wheel groups so they can ssh to the box. Also, add them to the sudoers file so they don't have to use su.

No comments:

Post a Comment