Sunday, September 20, 2009

VMware Login via AD

I put this together in order to integrate the login from VMWare into AD.

NTP
To setup the ESX server for AD authentication the following steps need to be taken. NTP needs to be done first so the server has a time close to that of the domain controller. The ntp ports need to be opened via the gui and the deamon needs to be started as well.

Allow the ntp client access through the firewall
In the GUI under the Configuration tab click on Security Profile then click on Properties… on the top right. A Firewall Options window will open.  Click the checkbox next to NTP Client.

Edit the ntp configuration file located at /etc/ntp.conf

Under servers add the same servers the domain uses for ntp (i.e. tock.usno.navy.mil and tick.usno.navy.mil)
Add:
restrict default kod nomodify notrap
delete:
fudge line
server  127.127.1.0 #local clock
e.g.:
restrict default kod nomodify notrap
server tock.usno.navy.mil
server tick.usno.navy.mil

Edit the steptickers file located at /etc/ntp/step-tickers
add the same servers the domain uses for ntp on separate lines
tock.usno.navy.mil
tick.usno.navy.mil

restart the ntp service:
service ntpd restart
 
check to make sure the time update worked (from command line)
ntpdate -q tock.usno.navy.mil
ntpdate -q tick.usno.navy.mil

Active Directory Authentication
Paste these lines into the CLI. The first two lines can be added via the GUI. VIC -> Configuration -> Security Profile -> Properties -> Add activeDirectorKerberos [sic] (NOT Kerberos).
esxcfg-firewall --openPort 88,tcp,out,KerberosClient
esxcfg-firewall --openPort 464,tcp,out,KerberosPasswordChange
esxcfg-auth --enablead --addomain agstar.local --addc mydc.mycdomain.blah
esxcfg-auth --enablekrb5 --krb5realm=agstar.local --krb5kdc=
mydc.mycdomain.blah-–krb5adminserver=mydc.mycdomain.blah

Edit the VMWare Authentication deamon config located at /etc/pam.d/vmware-authd and add this line to the top:
auth sufficient /lib/security/pam_unix_auth.so shadow nullok

Prevent users’ password from expiring since that is taken care of in AD.
esxcfg-auth --passmaxdays=-1

Add users using the username found in AD
adduser jdoe
adduser ymomma
adduser bdover


Done

Now don't forgot to add the users to the wheel groups so they can ssh to the box. Also, add them to the sudoers file so they don't have to use su.

No comments:

Post a Comment