In the previous post we looked at Automating Active Directory Domain Join in ESXi Kickstart. We are now going to look at adding domain users without having to manually go through vSphere Client or external scripts after an ESXi host has been provisioned. We are going to be leveraging vim-cmd to accomplish this during the kickstart installation. Before doing so, you will need to know the the available roles on a default ESXi host and the syntax for a given permission.
To see the available roles, you can run the following command on an already provisioned ESXi host:
vim-cmd vimsvc/auth/roles | less
The default roles on an ESXi host are:
- NoAccess
- ReadOnly
- Admin
To see the existing permissions, you can run the following command on an already provisioned ESXi host:
vim-cmd vimsvc/auth/permissions
These entries will match what you see in the vSphere Client and dictate who has login access to the ESXi host.
To add a new permission, we will be using the "vim-cmd vimsvc/auth/entity_permission_add" and it requires five parameters.
- First - Entity (This can be found by looking at the output from permissions)
- Second - Username
- Third - Boolean on whether this is a group or not (should be false)
- Fourth - The role to be applied to the user
- Fifth - Boolean on whether to propagate this permission
If you manually add a domain user, you can easily verify the user can login by running the "id" command which will perform a look up on the user. If it is successful, it should return an entry corresponding to something like this:
Note: We need to use the double slash "\" to escape the initial slash when running the query. Also make note of the domain name as it may or may not match your full domain name.
We are now ready to craft a simple script that will add domain users as part of the ESXi kickstart process. The following snippet should be placed in the %firstboot section of your kickstart and after your Active Directory domain join code. Make sure you replace the DOMAIN_NAME variable along with the usernames. In the example I have two separate for loops to handle ReadOnly and Admin users, you do not need both if you are only adding one type of users.
The script basically performs a simple 60sec sleep to ensure the domain join process has completed before continuing. If you do not place a sleep, the subsequent code will fail to execute. The next step is to validate the user by doing a simple lookup using "id" command and upon successful look up of the user, we add the appropriate permissions.
If everything was successful, after your ESXi installation you now should have your host joined to your Active Directory and a list of domain users who now have permission to login to the ESXi host. You can verify by using the vSphere Client and taking a look at the Permissions tab.
If you would like to create custom roles on your ESXi host, you can use the following command:
vim-cmd vimsvc/auth/role_add
Note: The syntax for the privileges parameter lists only five, but it actually accepts as many as you need with the custom role
zenhat.org says
'id' command will not work for AD users and groups. Instead 'lw-lsa' command can be used.
E.g.
lw-lsa find-group-by-name --level 0 "${GROUP}" > /dev/null 2>&1
if [ $? -eq 0 ]; then
vim-cmd vimsvc/auth/entity_permission_add "vim.Folder:ha-folder-root" "${GROUP}" true Admin true
vim-cmd vimsvc/auth/entity_permission_add "vim.ComputeResource:ha-compute-res" "${GROUP}" true Admin true
fi
Manaji says
Hi,
I am getting error for domain login in esxi. I have joined ESXi to domain & Added user group in to esxi host (Added user group on root login to esxi host)
ESXi Version - Product: VMware ESXi
Version: 6.0.0
Build: Releasebuild-3287794
Update: 1
Patch: 20
Error 1
Failed to enumerate users. Error code 40286 (LW_ERROR_LDAP_SERVER_DOWN).
The DC closed an LDAP connection in the middle of a query
Error 2 -
Failed to enumerate users. Error code 40121 (LW_ERROR_DOMAIN_IS_OFFLINE).
The domain is offline
Please help.