I recently received a question about whether it was possible to configure Active Directory integration with vMA. Out of the box, this is not a feature that is available by default but can be set up. There are many articles online that provide instructions on configuring AD integration on UNIX/Linux host but they may not always be as straight forward to implement.
[vi-admin@kate ~]$ chmod +x LikewiseIdentityServiceOpen-5.3.0.7798-linux-x86_64-rpm-installer
4. Now we will begin the installation, you will need to use sudo (accept all defaults):
[vi-admin@kate ~]$ sudo ./LikewiseIdentityServiceOpen-5.3.0.7798-linux-x86_64-rpm-installer
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
----------------------------------------------------------------------------
Welcome to the Likewise Identity Service [Open] Setup Wizard.
----------------------------------------------------------------------------
Please read the following License Agreement. You must accept the terms of this
agreement before continuing with the installation.
Press [Enter] to continue :
Likewise Open is provided under the terms of the GNU General
Public License (GPL version 2) and the GNU Library General
Public License (LGPL version 2.1). The additional components
listed below are covered under separate license agreements:
Samba 3.0 Client libraries and tools - GPLv2
MIT Kerberos - MIT Kerberos 5 and other licenses
OpenLDAP - OpenLDAP Public License
Novell DCE-RPC - BSD
LibXML2 - BSD
libuuid from e2fsprogs - BSD
libiconv - LGPLv2
OpenSSL - BSD
For more details and for the full text for each of these
licenses, read the LICENSES and COPYING files included with
this software.
Press [Enter] to continue :
Do you accept this license? [y/n]: y
----------------------------------------------------------------------------
32-bit Compatbility Libraries
Should the 32-bit compatibility libraries be installed? These are only needed if 32-bit programs will be accessing the Likewise authentication code. If you do not know the answer, just leave it as "Auto".
[1] Auto
[2] Yes
[3] No
Please choose an option [1] :
----------------------------------------------------------------------------
Setup is now ready to begin installing Likewise Identity Service [Open] on your computer.
Do you want to continue? [Y/n]: y
----------------------------------------------------------------------------
Please wait while Setup installs Likewise Identity Service [Open] on your computer.
Installing
0% ______________ 50% ______________ 100%
######################################Info: Likewise
--------
To join an Active Directory domain using a command-line interface, run:
/opt/likewise/bin/domainjoin-cli
Press [Enter] to continue :
###
5. Once the setup has finished, you will want to edit the lsassd.conf configuration file. The two changes that you will be making are:
- Allow a user to login to vMA without having to specify the username and the full domain (e.g. username@domain@vmahost)
- Changing the default login shell from /bin/sh to /bin/bash
Start by editing /etc/likewise/lsassd.conf
- uncomment "assume-default-domain = yes"
- change "login-shell-template = /bin/sh" to "login-shell-template = /bin/bash"
Note: If you are using a newer version of "Open" where lsassd.conf no longer exists, please take a look at the "Open" documentation on updating the configurations listed above - http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html
6. Before we join the vMA host to the Active Directory server, ensure that DNS is properly configured and that both forward and reserve lookups are correct on the vMA host.
[vi-admin@kate ~]$ host kate
kate.primp-industries.com has address 172.30.0.189
[vi-admin@kate ~]$ host 172.30.0.189
189.0.30.172.in-addr.arpa domain name pointer kate.primp-industries.com.
7. We will now join the vMA host to an AD server. The syntax will be "domainjoin-cli join [domain] [username]"
[vi-admin@kate ~]$ sudo domainjoin-cli join primp-industries.com Administrator
Joining to AD Domain: primp-industries.com
With Computer DNS Name: kate.primp-industries.com
*protected email*'s password:
Warning: System restart required
Your system has been configured to authenticate to Active Directory for the first time. It is recommended that you restart your system to ensure that all
applications recognize the new settings.
Warning: Unknown pam module
The likewise PAM module cannot be configured for the wbem service. This services uses the '$ISA/pam_unix.so' module, which is not in this program's list of
known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.
Warning: A resumable error occurred while processing a module
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.
SUCCESS
Note: Do not worry about the warning message, it is normal and you do not need to restart the system for the changes to take effect.
If you have any issues trying to join a domain, you can enable logging which can be helpful for troubleshooting. To do so, you will specify two additional parameters which will denote the log level and where to output the log, whether that is to the console or to a file
[vi-admin@kate ~]$ sudo domainjoin-cli --loglevel verbose --logfile joindomain.log join primp-industries.com administrator
Joining to AD Domain: primp-industries.com
With Computer DNS Name: kate.primp-industries.com
*protected email*'s password:
Warning: Unknown pam module
The likewise PAM module cannot be configured for the wbem service. This services uses the '$ISA/pam_unix.so' module, which is not in this program's list of
known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.
Warning: A resumable error occurred while processing a module
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.
SUCCESS
From the above example, you should have a new log file created called joindomain.log
8. To verify that you have successfully joined the domain, you can run the following command to query:
[vi-admin@kate ~]$ sudo domainjoin-cli query
Name = kate
Domain = PRIMP-INDUSTRIES.COM
Distinguished Name = CN=KATE,CN=Computers,DC=primp-industries,DC=com
9. Before you try to login with a user in the domain, you need to reload the configuration changes that were made earlier. To do so, you will execute the following:
[vi-admin@kate ~]$ sudo /opt/likewise/bin/lw-refresh-configuration
Configuration successfully loaded from disk.
10. Now, we will test a login using an account on the AD server:
[vi-admin@kate ~]$ ssh primp@localhost
Password:
Your password will expire today
Welcome to vMA
run 'vma-help' or see http://www.vmware.com/go/vma4 for more details.
[primp@kate ~]$ pwd
/home/local/PRIMP-IND/primp
We can also verify this user on the AD Server by running the following query:
Default level 0 info
[vi-admin@kate ~]$ /opt/likewise/bin/lw-find-user-by-name primp
User info (Level-0):
====================
Name: primp
SID: S-1-5-21-503341760-968948550-2164105906-1105
Uid: 1058014289
Gid: 1058013696
Gecos: primp primp
Shell: /bin/bash
Home dir: /home/local/PRIMP-IND/primp
Logon restriction: NO
level 2 info
[vi-admin@kate ~]$ /opt/likewise/bin/lw-find-user-by-name primp --level 2
User info (Level-2):
====================
Name: primp
SID: S-1-5-21-503341760-968948550-2164105906-1105
UPN: *protected email*
Generated UPN: NO
DN: CN=primp primp,CN=Users,DC=primp-industries,DC=com
Uid: 1058014289
Gid: 1058013696
Gecos: primp primp
Shell: /bin/bash
Home dir: /home/local/PRIMP-IND/primp
LMHash length: 0
NTHash length: 0
Local User: NO
Account disabled (or locked): FALSE
Account expired: FALSE
Password never expires: TRUE
Password expired: FALSE
Prompt for password change: YES
User can change password: YES
Days till password expires: 0
Logon restriction: NO
To unjoin and leave the domain, you will use the following:
To preview the files that will require changes for leaving a domain use
[vi-admin@kate ~]$ sudo domainjoin-cli leave --advanced --preview
Leaving AD Domain: PRIMP-INDUSTRIES.COM
[F] DDNS - Configure Dynamic DNS Entry for this host
[X] [S] ssh - configure ssh and sshd
[X] [N] pam - configure pam.d/pam.conf
[F] nsswitch - enable/disable Likewise nsswitch module
[X] [N] krb5 - configure krb5.conf
[X] [N] stop - stop daemons
[X] [N] leave - disable machine account
[F] keytab - initialize kerberos keytab
Key to flags
[F]ully configured - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
requirements for this step
[N]ecessary - this step must be run or manually performed.
[X] - this step is enabled and will make changes
[ ] - this step is disabled and will not make changes
To confirm and leave the domain, use
[vi-admin@kate ~]$ sudo domainjoin-cli leave
Leaving AD Domain: PRIMP-INDUSTRIES.COM
SUCCESS
All Likewise utilities are installed under /opt/likewise/bin and for more information on these utilities and how to use them, check out the Likewise documentation here.
UPDATE:
The instructions above can also be used to setup "open" on classic ESX w/Service Console, ESXi will not work however.
Anonymous says
So you should be able to use this on ESX host as well ?
William says
Yes, I actually tried this on ESX 4.0 Update 2 and it works exactly the same without any issues. This however, will not work on ESXi and the unsupported Busybox console.
I'll update the post tonight to also mention this will work on classic ESX using the exact same instructions.
--William
RamD says
Hi - with the latest version of open, the lsassd.cfg file is no longer present. so configuration changes have to be done in the registry using lwregshell command.
Pl see my notes below (excuse the verbosity - i am copy-pasting from my shell).
Run the following command to list values against 'HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory' key in registry -
[root@vm4 ~]# /opt/likewise/bin/lwregshell ls '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]'
[HKEY_THIS_MACHINE\\Services\lsass\Parameters\Providers\ActiveDirectory]
"AssumeDefaultDomain" REG_DWORD 0x00000000 (0)
"CacheEntryExpiry" REG_DWORD 0x00003840 (14400)
"CachePurgeTimeout" REG_DWORD 0x00278d00 (2592000)
"CacheType" REG_SZ "memory"
"CreateHomeDir" REG_DWORD 0x00000001 (1)
"CreateK5Login" REG_DWORD 0x00000001 (1)
"DomainManagerCheckDomainOnlineInterval" REG_DWORD 0x0000012c (300)
"DomainManagerUnknownDomainCacheTimeout" REG_DWORD 0x00000e10 (3600)
"DomainSeparator" REG_SZ "\\"
"HomeDirPrefix" REG_SZ "/home"
"HomeDirTemplate" REG_SZ "%H/local/%D/%U"
"HomeDirUmask" REG_SZ "022"
"Id" REG_SZ "lsa-activedirectory-provider"
"LdapSignAndSeal" REG_DWORD 0x00000000 (0)
"LoginShellTemplate" REG_SZ "/bin/bash"
"LogNetworkConnectionEvents" REG_DWORD 0x00000001 (1)
"MachinePasswordLifespan" REG_DWORD 0x00278d00 (2592000)
...
To change a particular key, say AssumeDefaultDomain, run the following command -
[root@vm4 ~]# /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]' AssumeDefaultDomain 1
To set LoginShellTemplate to /bin/bash run -
[root@vm4 ~]# /opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]' LoginShellTemplate /bin/bash
To refresh the lsass daemon with new config settings, run -
/opt/likewise/bin/lwsm refresh lsass
To list the values at any time you can use the first command.
RamD says
for more information see this page - http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html
William says
@RamD Thanks for the info, I'll update the post with the link regarding lsass update.
RamD says
Hi William - you are welcome. The question i have in my mind is - after 'open' is installed, will we be able to do password-less operation using AD authentication. i have the setup requisite for this - vCenter, ESXi hosts and vMA 4.0 all attached now to same domain.
William says
@RamD
No you will not be able to, vi-fastpass has to also be updated to suppport adauth, which is what happened with vMA 4.1. The above just demonstrates how to get vMA joined to AD using "open" which is exactly how vMA 4.1 is setup. Unless there's a reason to stay on vMA 4.0, recommendation is to go to vMA 4.1 even if you only have ESX(i) 3.5 or 4.0 hosts
RamD says
Hi William thanks for your response. While on vMA 4.0 any best practices to follow in order to prevent misuse of passwords stored in credential store. if a user logs in as vi-admin then anyhow he/she has access to the credential store where passwords are stored in plain text, in obfuscated form. so it is easy to crack these. any ideas on how to prevent this?
One thought is - all users of vMA always login with their directory logins (not using vi-admin). then anyhow each has a diffrent credential store for their ESX/ESXi/vCenter access which hopefully has correct file permissions set. the vi-admin user is locked down, much like the default root user.
What where you following till you moved to 4.10?
PS: A blog on this would help... 🙂
William says
@RamD,
Here is a blog post motivated by our conversation - http://www.virtuallyghetto.com/2010/08/why-you-should-upgrade-from-vma-40-to.html
Hopefully it'll clear up some questions.
Regarding your suggestion, it would not work since the activation of vi-fastpass is only allowed for the vi-admin user. You will get an error that the user context is incorrect. Also if you take a look at the post above, you'll see that vMA 4.1 does fix the known plain text issue but one can still access the credential store and retrieve the username and password. This can be done on both vMA 4.0 and 4.1. There is a recommendation on how to really protect the credential store which is outlined in the article.
Hopefully this helps
Thanks for the comments
temp-user says
I was facing problems joining the VMware appliance to Active directory. There is a trust between my production domain and another lab domain. One of the domain controllers
that was in the trusted (lab) domain was out of time sync. This prevented my machine from being joined correctly to the Active directory.
Likewise 5.3 wasn’t able to handle that, with 6.1 it worked. After the clocks were synchonized everything started to work.
I don't want others to run into it. I guess there is an option to diable all trusts, but VMvare is obviously not using that in their UI.
Conditions: VMvare Vcenter appliance 5.0 based on SuSE Linux
Active directory windows 2008 R2 server with the forest& domain level 2008 R2
/opt/likewise/bin/lw-get-status was only showing local authentication
also tried to investigate the missing AD DNS entry _kerberos-master._udp.. Obviously this entry doesn’t have to be there.
Joining Active Directory using the command line /opt/likewise/bin/domainjoin-cli seems to be working itself. But it doesn't enable some features
in vmware interface, so I encourage people to use that for troubleshooting, but once they've fixed their problems, go back to the apliance web interface
and do it there.
good luck