WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Uncategorized / vMA 4.1 - Active Directory IntegrationTip

vMA 4.1 - Active Directory IntegrationTip

07.18.2010 by William Lam // 6 Comments

The latest release of vMA 4.1 now supports Active Directory integration which can be used to centralize all authentication within a Windows environment. To join a vMA host to your Active Directory domain, you just need to use one simple command called domainjoin-cli which is part of Likewise's "Open" product.

Here is an example of vMA host joining an AD domain:

By default, Likewise "Open" is configured to not assume the current Active Directory Domain as the default. This means if you are authenticating against vMA via SSH connection, you will need to specify both the username and the full domain. (e.g. ssh *protected email*@vMA-host)

Here is an example of logging into vMA using AD credentials:

This can be pretty tedious to type out everytime, especially if you have a very long domain name. However, this can be easily modified to assume the default domain.

You will need to edit /etc/likewise/lsassd.conf and uncomment "assume-default-domain = yes" and then save your changes:

sudo vi /etc/likewise/lsassd.conf

You will need to reload the configurations for the changes to take effect by running the following utility:

sudo /opt/likewise/bin/lw-refresh-configuration

Now, you can login by just specifying the username without having to provide the full AD domain name.

I actually wrote an article about a month ago on configuring Likewise "Open" AD intergration on vMA before the release of vSphere 4.1. The article goes through the process of setting up "Open" on vMA 4.0 and also documents the change of the default domain. For more Likewise commands and details, check out the article above.

Update1:
If you would like to add an AD group to sudoers file, you need to edit /etc/sudoers file. You need to make sure you escape the initial forward slash and any white spaces that maybe in the group name. In this example, we have a group called "VI Admins" that you would like all users to be able to login to vMA using their AD credentials and perform operations using sudo.

1. Edit /etc/sudoers using vi-admin account, make sure you use 'sudo':

[vi-admin@kate ~]$ sudo vi /etc/sudoers

2. Add the following towards the bottom of the file:

%PRIMP-IND\\VI\ Admins ALL=(ALL) ALL

Note: We're escaping both the initial forward slash and the space

3. Verify user can now sudo by querying sudo operatoins the user is allowed to execute:

[primp@kate ~]$ id
uid=1058014289(primp) gid=1058013696(domain^admins) groups=1058013696(domain^admins),1058014440(vi^admins)

[primp@kate ~]$ sudo -l
Password:
User primp may run the following commands on this host:
(ALL) ALL

More from my site

  • How to configure and use vMA's vi-fastpass with fpauth and adauth on vSphere 4.1
  • resxtop bug in vCLI 4.1 not vMA 4.1
  • Why you should upgrade from vMA 4.0 to vMA 4.1
  • vMA 4.1 - Authentication Policy (fpauth vs adauth)
  • resxtop & vi-fastpass Downgraded Feature In vMA 4.1

Categories // Uncategorized Tags // vma, vSphere 4.1

Comments

  1. *protectedBen says

    07/19/2010 at 5:54 am

    You guy may also find my post helpful on this topic... http://vbl0g.blogspot.com/2010/07/update-vma-40-to-41.html

    Reply
  2. *protectedBrian says

    01/11/2011 at 4:01 pm

    I'm confused about "escaping both the initial forward slash and the space". Could someone put a keystroke by keystroke map for the "VI Admins" example pointing out when escape is required. I have limited knowledge of this type of file edit.

    Reply
  3. *protectedBrian says

    01/11/2011 at 6:33 pm

    OK, I looked into this a bit more and I think I understand now. It is exactly as typed here. For other lamen, the backslash is the "escape character". It tells the OS that the next character should be taken literally. "\" and " " are special characters interperted differently without the preceding escape sequence.

    Reply
  4. *protectedAnonymous says

    08/22/2012 at 6:08 am

    OK. So how do we get to run the vifp commands as an AD user without needed sudo?

    vifp listerserver -l
    give me:
    Error: You don't have permission to execute this command.

    vMA doesn't come with strace which would be nice

    I tried adding the AD user to the root group (Configmed with the groups command).

    I can run vifptarget OK. But some of the vifp commands seem to require root. vi-admin doesn't have root (Just gid 0, same as I setup the AD account as) and doesn't cry.

    Reply
  5. *protectedRonald de Haan says

    08/23/2012 at 2:16 pm

    Using the sudo vi command is not as straightforward as put in this blog unfortunately. Having quite a struggle with it.

    Reply

Trackbacks

  1. How to configure and use vMA’s vi-fastpass with fpauth and adauth on vSphere 4.1 | virtuallyGhetto says:
    03/03/2014 at 9:33 am

    […] Now, we are ready to login to vMA using our AD credentials. Depending if you implemented this vMA AD Intergration Tip, you may not need to specify the full domain when logging in. If you did not, you would to need to […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025