Comments on: Active Directory authentication with VMware ESX http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/ Thu, 09 Feb 2012 01:05:19 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: AD and sudo integratation in kickstart | vReference http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-1447 AD and sudo integratation in kickstart | vReference Fri, 15 Jan 2010 06:30:46 +0000 http://www.boche.net/blog/?p=1237#comment-1447 [...] [...] [...] [...]

]]> By: RDonald8976 http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-1004 RDonald8976 Sat, 20 Jun 2009 20:06:25 +0000 http://www.boche.net/blog/?p=1237#comment-1004 Nice post, in the end after not getting the VMware instructions to work in our environment, we decided to go with an ISV solution from Centrify. They have a video chalktalk at http://www.centrify.com/resources/securing-vmware-esx-with-active-directory.asp that walks you through the limitations of the native AD integration that VMware provides. Product literature can be found at http://www.centrify.com/directcontrol/vmware_esx.asp Nice post, in the end after not getting the VMware instructions to work in our environment, we decided to go with an ISV solution from Centrify. They have a video chalktalk at http://www.centrify.com/resources/securing-vmware-esx-with-active-directory.asp that walks you through the limitations of the native AD integration that VMware provides. Product literature can be found at http://www.centrify.com/directcontrol/vmware_esx.asp

]]> By: PiroNet http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-660 PiroNet Mon, 23 Mar 2009 10:00:39 +0000 http://www.boche.net/blog/?p=1237#comment-660 @Steve Beaver It doesn't work... ESX auth searched the first domain listed and either returns a user doesn't exist or password is not valid. To have multiple domains authentication, you have to be able, like in windows, to enter domain\username or username@domain. And this is not possible for the moment. Thus authentication against a single domain so far in ESX. Thx, @Steve Beaver
It doesn’t work…
ESX auth searched the first domain listed and either returns a user doesn’t exist or password is not valid.

To have multiple domains authentication, you have to be able, like in windows, to enter domain\username or username@domain. And this is not possible for the moment.

Thus authentication against a single domain so far in ESX.

Thx,

]]> By: anaconda http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-659 anaconda Sun, 22 Mar 2009 13:52:25 +0000 http://www.boche.net/blog/?p=1237#comment-659 Similar post here: http://malaysiavm.com/blog/vmware-esx-35-authentication-login-using-active-directory/ Similar post here: http://malaysiavm.com/blog/vmware-esx-35-authentication-login-using-active-directory/

]]> By: Scott Lowe http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-657 Scott Lowe Sun, 22 Mar 2009 02:33:27 +0000 http://www.boche.net/blog/?p=1237#comment-657 Good article, Jason! You can find more information and a technique for eliminating the need for local accounts on my web site: http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/ Even with "full" AD integration using both esxcfg-auth and LDAP, I will still echo Andrew's thoughts--you need to configure sudo to track what the admins are doing once they reach the Service Console. Good article, Jason! You can find more information and a technique for eliminating the need for local accounts on my web site:

http://blog.scottlowe.org/2007/07/10/esx-server-ad-integration/

Even with “full” AD integration using both esxcfg-auth and LDAP, I will still echo Andrew’s thoughts–you need to configure sudo to track what the admins are doing once they reach the Service Console.

]]> By: Andrew http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-656 Andrew Sun, 22 Mar 2009 01:12:16 +0000 http://www.boche.net/blog/?p=1237#comment-656 @rbambley: There's no difference between having an "esxadmin" account that multiple users have access to and multiple users having access to root...there's no way to tell who is doing what on the box. The ideal setup is to have the administrators who are authorized to use the command line login with their own account, then use sudo to execute the CLI commands that are needed to administer the box. Sudo leaves messages in the log to show who executed what command, when, and from where (remote host and file system locations) to provide information should something destructive occur (purposely or accidentially). http://get-admin.com/blog/?p=16 @rbambley: There’s no difference between having an “esxadmin” account that multiple users have access to and multiple users having access to root…there’s no way to tell who is doing what on the box.

The ideal setup is to have the administrators who are authorized to use the command line login with their own account, then use sudo to execute the CLI commands that are needed to administer the box. Sudo leaves messages in the log to show who executed what command, when, and from where (remote host and file system locations) to provide information should something destructive occur (purposely or accidentially).

http://get-admin.com/blog/?p=16

]]> By: rbrambley http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-655 rbrambley Sun, 22 Mar 2009 00:57:23 +0000 http://www.boche.net/blog/?p=1237#comment-655 Wasn't thinking about the audit trail - that makes sense. I create an esxadmin account during install and select few have that password so root is not used. Thanks. Wasn’t thinking about the audit trail – that makes sense. I create an esxadmin account during install and select few have that password so root is not used. Thanks.

]]> By: jason http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-654 jason Sun, 22 Mar 2009 00:38:39 +0000 http://www.boche.net/blog/?p=1237#comment-654 @rbrambley: You don't have to have a distributed or delegated model to integrate AD authentication. There are a very select few who have the keys and those who have the keys sometimes need to log on to the ESX Service Console. There are plenty of *nix admins who will go to their grave saying "rarely ever log on using root!". That's what AD integration is for - anyone who would need to log onto the service console, even the most trusted of administrators. Logging on as root doesn't identify who actually used the root account. Logging on with AD integration leaves an audit trail. @rbrambley: You don’t have to have a distributed or delegated model to integrate AD authentication.

There are a very select few who have the keys and those who have the keys sometimes need to log on to the ESX Service Console. There are plenty of *nix admins who will go to their grave saying “rarely ever log on using root!”. That’s what AD integration is for – anyone who would need to log onto the service console, even the most trusted of administrators.

Logging on as root doesn’t identify who actually used the root account. Logging on with AD integration leaves an audit trail.

]]> By: rbrambley http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-653 rbrambley Sun, 22 Mar 2009 00:07:18 +0000 http://www.boche.net/blog/?p=1237#comment-653 Jason, I guess I did not ask that question very clearly. So, in the distributed administrative model you assign local ESX server management responsibilities to the local or department engineers? I've mostly seen the "forest administrators" type approach where a select few have "the keys". Jason,

I guess I did not ask that question very clearly. So, in the distributed administrative model you assign local ESX server management responsibilities to the local or department engineers? I’ve mostly seen the “forest administrators” type approach where a select few have “the keys”.

]]> By: Steve Beaver http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-652 Steve Beaver Sat, 21 Mar 2009 23:55:10 +0000 http://www.boche.net/blog/?p=1237#comment-652 Have you tried adding multiple domains? –adddomain=pironet.com –adddomain=us.pironet.com –adddomain=eur.pironet.com Have you tried adding multiple domains?
–adddomain=pironet.com –adddomain=us.pironet.com –adddomain=eur.pironet.com

]]> By: PiroNet http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-651 PiroNet Sat, 21 Mar 2009 23:49:08 +0000 http://www.boche.net/blog/?p=1237#comment-651 Looks like actually ESX AD authentication doesn't support (yet) cross domain authentications, nor it supports domain\username or username@domain type of usernames. With --adddomain=pironet.com ESX searches within that domain only. Cheers, Looks like actually ESX AD authentication doesn’t support (yet) cross domain authentications, nor it supports domain\username or username@domain type of usernames.

With –adddomain=pironet.com ESX searches within that domain only.

Cheers,

]]> By: jason http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-650 jason Sat, 21 Mar 2009 23:34:38 +0000 http://www.boche.net/blog/?p=1237#comment-650 It depends on where the user objects are in AD. If they are truely in an AD subdomain us.pironet.com, then us.pironet.com is the domain suffix to be used in the esxcfg-auth script. Keep in mind that AD subdomains are not the same as DNS namespace subdomains. It depends on where the user objects are in AD. If they are truely in an AD subdomain us.pironet.com, then us.pironet.com is the domain suffix to be used in the esxcfg-auth script. Keep in mind that AD subdomains are not the same as DNS namespace subdomains.

]]> By: PiroNet http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-649 PiroNet Sat, 21 Mar 2009 23:13:55 +0000 http://www.boche.net/blog/?p=1237#comment-649 I run a forest called pironet.com with several subdomains let say us.pironet.com, eur.prionet.com, etc... My ESX hosts are splitted over all the sub domains. Now I want a single user sitting in us.pironet.com for instance to be able to logon to a ESX hosts in eur.pironet.com, how do I do that ? Thx, I run a forest called pironet.com with several subdomains let say us.pironet.com, eur.prionet.com, etc…
My ESX hosts are splitted over all the sub domains.
Now I want a single user sitting in us.pironet.com for instance to be able to logon to a ESX hosts in eur.pironet.com, how do I do that ?

Thx,

]]> By: jason http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-648 jason Sat, 21 Mar 2009 20:52:05 +0000 http://www.boche.net/blog/?p=1237#comment-648 Thank you for shedding light on the additional configuration solutions. Value added. @rbrambley: In my experience, I have logged on at the Service Console of the ESX host for various reasons. Running ESXTOP, changing of the root password, viewing logs, etc. Thank you for shedding light on the additional configuration solutions. Value added.

@rbrambley: In my experience, I have logged on at the Service Console of the ESX host for various reasons. Running ESXTOP, changing of the root password, viewing logs, etc.

]]> By: Maish http://www.boche.net/blog/index.php/2009/03/21/active-directory-authentication-with-vmware-esx/comment-page-1/#comment-647 Maish Sat, 21 Mar 2009 19:24:56 +0000 http://www.boche.net/blog/?p=1237#comment-647 Thanks Jason, (and Steve) post works perfectly!! Thanks Jason, (and Steve) post works perfectly!!

]]>