If you look for VMware authentication login using Microsoft Active Directory, I’m sure you can easily found on any seach enginer but most of the documents slightly outdated which is based on VMware ESX 2.x.

The following article try to give better understanding about latest VMware ESX 3.5 authentication login using AD.

Use esxcfg-auth command – VMware ESX Server Network Management Utility

Login to VMware ESX host using SSH as root

Ping ad.malaysiavm.com to make sure you can reach AD server.

The esxcfg‐auth command includes options for configuring interoperability with several authentication providers. This note focuses on the options that are relevant to Active Directory:
esxcfg‐auth [ [ ‐‐enablead | ‐‐disablead ] [ ‐‐addomain= ] [‐‐addc= ]

Type man esxcfg-auth for more information.

–disableab
Reverts the changes required to authenticate the user against Active Directory.

–enablead
Sets up the Console OS to authenticate the user against an Active Directory server. addomain and addc are required with this option.

–addomain
Sets the domain against which the user is to be authenticated when authenticating against an Active Directory server.

–addc
Sets the domain controller against which the user’s password should be checked.

# esxcfg-auth –enablead –addomain=AD.MALAYSIAVM.COM –addc=dc01.ad.malaysiavm.com

This enables Active Directory based user authentication in the ad.malaysiavm.com domain
with the domain controller dc01.ad.malaysiavm.com.

Basically the system will generate /etc/krb5.conf file as example below:

[domain_realm]
ad.malaysiavm.com = AD.MALAYSIAVM.COM
.ad.malaysiavm.com = AD.MALAYSIAVM.COM

[libdefaults]
default_realm = AD.MALAYSIAVM.COM

[realms]
AD.MALAYSIAVM.COM = {
admin_server = dc01.ad.malaysiavm.com:464
default_domain = AD.MALAYSIAVM.COM
kdc = dc01.ad.malaysiavm.com:88

Basically the different between ESX 2.x and 3.x is in PAM configuration, make sure you have correct PAM configuration as example below:

/etc/pam.d/vmware-authd
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth

/etc/pam.d/system-auth
account sufficient /lib/security/$ISA/pam_krb5.so
account required /lib/security/$ISA/pam_unix.so

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

password required /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session sufficient /lib/security/$ISA/pam_krb5.so

According to previous article from VMware, you’re require /var/kerberos/krb5kdc/kdc.conf which it’s worked without this file on VMware ESX 3.5 update 2.

Create a user on the VMware ESX Server system with permissions to use the service console or SSH. To create a user, use the Linux command useradd.

# /usr/sbin/useradd user1

Note: please make sure you have user1 in your AD or create any other AD account.

Open a new SSH session(I used putty) and login with username: user1 and AD password. If you have any problem with AD authentication logon, please refer to /var/log/message.

In case you need to access to VMware ESX host directly, you’re require to define user test1 in permission tab under VI.

Done! Congratulation! You should be able to login to ESX server using Active Directory authentication.

Related Post:

• SLES 9 Authentication Login Using Active Directory
• SLES 10 Authentication Login Using Active Directory
• ESX Server Integration with Active Directory

Related posts:

1. VMware Data Recovery Mount Show Password Detail?