WilliamLam.com

I recently received a question about whether it was possible to configure Active Directory integration with vMA. Out of the box, this is not a feature that is available by default but can be set up. There are many articles online that provide instructions on configuring AD integration on UNIX/Linux host but they may not always be as straight forward to implement.

While pondering about this question, I remember reading an article about the OEM partnership between Likewise and VMware, in which Likewise's authentication software will be integrated into future releases of the vSphere platform. There has also been rumors that the Likewise software will be appearing in the next release of vSphere which may provide AD integration out of the box.

Likewise has an open source product called "Open" which integrates with UNIX, Linux and Mac systems to Microsoft Active Directory, allowing users to authenticate with their Windows domain credentials. I thought it would be interesting to see if I could get "Open" running on VMware vMA and surely it was pretty straight forward.

1. You will need to register to download the latest version of the Likewise software which can be found here:

Note: Make sure you select the 64bit version and the non-GUI version of "Open".

2. You will now upload the installer LikewiseIdentityServiceOpen-5.3.0.7798-linux-x86_64-rpm-installer to your vMA host using either UNIX/Linux scp or WinSCP if you are on a Windows systems.

3. Set the installer to be an executable by running the following command:

[vi-admin@kate ~]$ chmod +x LikewiseIdentityServiceOpen-5.3.0.7798-linux-x86_64-rpm-installer
4. Now we will begin the installation, you will need to use sudo (accept all defaults):

[vi-admin@kate ~]$ sudo ./LikewiseIdentityServiceOpen-5.3.0.7798-linux-x86_64-rpm-installer

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
----------------------------------------------------------------------------
Welcome to the Likewise Identity Service [Open] Setup Wizard.

----------------------------------------------------------------------------
Please read the following License Agreement. You must accept the terms of this
agreement before continuing with the installation.

Press [Enter] to continue :
Likewise Open is provided under the terms of the GNU General
Public License (GPL version 2) and the GNU Library General
Public License (LGPL version 2.1). The additional components
listed below are covered under separate license agreements:

Samba 3.0 Client libraries and tools - GPLv2
MIT Kerberos - MIT Kerberos 5 and other licenses
OpenLDAP - OpenLDAP Public License
Novell DCE-RPC - BSD
LibXML2 - BSD
libuuid from e2fsprogs - BSD
libiconv - LGPLv2
OpenSSL - BSD

For more details and for the full text for each of these
licenses, read the LICENSES and COPYING files included with
this software.

Press [Enter] to continue :

Do you accept this license? [y/n]: y

----------------------------------------------------------------------------
32-bit Compatbility Libraries

Should the 32-bit compatibility libraries be installed? These are only needed if 32-bit programs will be accessing the Likewise authentication code. If you do not know the answer, just leave it as "Auto".

[1] Auto
[2] Yes
[3] No
Please choose an option [1] :

----------------------------------------------------------------------------
Setup is now ready to begin installing Likewise Identity Service [Open] on your computer.

Do you want to continue? [Y/n]: y

----------------------------------------------------------------------------
Please wait while Setup installs Likewise Identity Service [Open] on your computer.

Installing
0% ______________ 50% ______________ 100%
######################################Info: Likewise
--------

To join an Active Directory domain using a command-line interface, run:

/opt/likewise/bin/domainjoin-cli

Press [Enter] to continue :
###
5. Once the setup has finished, you will want to edit the lsassd.conf configuration file. The two changes that you will be making are:

Allow a user to login to vMA without having to specify the username and the full domain (e.g. username@domain@vmahost)
Changing the default login shell from /bin/sh to /bin/bash

Start by editing /etc/likewise/lsassd.conf

uncomment "assume-default-domain = yes"
change "login-shell-template = /bin/sh" to "login-shell-template = /bin/bash"

[vi-admin@kate ~]$ sudo vi /etc/likewise/lsassd.conf
Note: If you are using a newer version of "Open" where lsassd.conf no longer exists, please take a look at the "Open" documentation on updating the configurations listed above - http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html

6. Before we join the vMA host to the Active Directory server, ensure that DNS is properly configured and that both forward and reserve lookups are correct on the vMA host.

[vi-admin@kate ~]$ host kate
kate.primp-industries.com has address 172.30.0.189

[vi-admin@kate ~]$ host 172.30.0.189
189.0.30.172.in-addr.arpa domain name pointer kate.primp-industries.com.
7. We will now join the vMA host to an AD server. The syntax will be "domainjoin-cli join [domain] [username]"

[vi-admin@kate ~]$ sudo domainjoin-cli join primp-industries.com Administrator

Joining to AD Domain: primp-industries.com
With Computer DNS Name: kate.primp-industries.com

*protected email*'s password:
Warning: System restart required
Your system has been configured to authenticate to Active Directory for the first time. It is recommended that you restart your system to ensure that all
applications recognize the new settings.

Warning: Unknown pam module
The likewise PAM module cannot be configured for the wbem service. This services uses the '$ISA/pam_unix.so' module, which is not in this program's list of
known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Warning: A resumable error occurred while processing a module
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.

SUCCESS
Note: Do not worry about the warning message, it is normal and you do not need to restart the system for the changes to take effect.

If you have any issues trying to join a domain, you can enable logging which can be helpful for troubleshooting. To do so, you will specify two additional parameters which will denote the log level and where to output the log, whether that is to the console or to a file

[vi-admin@kate ~]$ sudo domainjoin-cli --loglevel verbose --logfile joindomain.log join primp-industries.com administrator
Joining to AD Domain: primp-industries.com
With Computer DNS Name: kate.primp-industries.com

*protected email*'s password:
Warning: Unknown pam module
The likewise PAM module cannot be configured for the wbem service. This services uses the '$ISA/pam_unix.so' module, which is not in this program's list of
known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Warning: A resumable error occurred while processing a module
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.

SUCCESS
From the above example, you should have a new log file created called joindomain.log

8. To verify that you have successfully joined the domain, you can run the following command to query:

[vi-admin@kate ~]$ sudo domainjoin-cli query

Name = kate
Domain = PRIMP-INDUSTRIES.COM
Distinguished Name = CN=KATE,CN=Computers,DC=primp-industries,DC=com
9. Before you try to login with a user in the domain, you need to reload the configuration changes that were made earlier. To do so, you will execute the following:

[vi-admin@kate ~]$ sudo /opt/likewise/bin/lw-refresh-configuration

Configuration successfully loaded from disk.
10. Now, we will test a login using an account on the AD server:

[vi-admin@kate ~]$ ssh primp@localhost
Password:
Your password will expire today

Welcome to vMA
run 'vma-help' or see http://www.vmware.com/go/vma4 for more details.

[primp@kate ~]$ pwd
/home/local/PRIMP-IND/primp
We can also verify this user on the AD Server by running the following query:

Default level 0 info

[vi-admin@kate ~]$ /opt/likewise/bin/lw-find-user-by-name primp

User info (Level-0):
====================
Name: primp
SID: S-1-5-21-503341760-968948550-2164105906-1105
Uid: 1058014289
Gid: 1058013696
Gecos: primp primp
Shell: /bin/bash
Home dir: /home/local/PRIMP-IND/primp
Logon restriction: NO
level 2 info

[vi-admin@kate ~]$ /opt/likewise/bin/lw-find-user-by-name primp --level 2

User info (Level-2):
====================
Name: primp
SID: S-1-5-21-503341760-968948550-2164105906-1105
UPN: *protected email*
Generated UPN: NO
DN: CN=primp primp,CN=Users,DC=primp-industries,DC=com
Uid: 1058014289
Gid: 1058013696
Gecos: primp primp
Shell: /bin/bash
Home dir: /home/local/PRIMP-IND/primp
LMHash length: 0
NTHash length: 0
Local User: NO
Account disabled (or locked): FALSE
Account expired: FALSE
Password never expires: TRUE
Password expired: FALSE
Prompt for password change: YES
User can change password: YES
Days till password expires: 0
Logon restriction: NO
To unjoin and leave the domain, you will use the following:

To preview the files that will require changes for leaving a domain use

[vi-admin@kate ~]$ sudo domainjoin-cli leave --advanced --preview

Leaving AD Domain: PRIMP-INDUSTRIES.COM
[F] DDNS - Configure Dynamic DNS Entry for this host
[X] [S] ssh - configure ssh and sshd
[X] [N] pam - configure pam.d/pam.conf
[F] nsswitch - enable/disable Likewise nsswitch module
[X] [N] krb5 - configure krb5.conf
[X] [N] stop - stop daemons
[X] [N] leave - disable machine account
[F] keytab - initialize kerberos keytab

Key to flags
[F]ully configured - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
requirements for this step
[N]ecessary - this step must be run or manually performed.

[X] - this step is enabled and will make changes
[ ] - this step is disabled and will not make changes
To confirm and leave the domain, use

[vi-admin@kate ~]$ sudo domainjoin-cli leave

Leaving AD Domain: PRIMP-INDUSTRIES.COM
SUCCESS

All Likewise utilities are installed under /opt/likewise/bin and for more information on these utilities and how to use them, check out the Likewise documentation here.

UPDATE:
The instructions above can also be used to setup "open" on classic ESX w/Service Console, ESXi will not work however.

There was a question today on the VMTN forums about obtaining the latest version of resxtop for vMA to utilize the new NFS datastore counters. Unfortunately, there is no automatic method of updating vMA to get the new version of resxtop, which is part of the vCLI 4.0 Update 2 package. The current release of vMA 4.0 contains the GA release of vCLI 4.0 (May 2009). VMware has since released both and Update 1 and Update 2 of vCLI.

Even though there is no automatic way of upgrading the vCLI on vMA, it is actually pretty easy to download the latest version and upgrade it yourself. Before starting, you will want to download vCLI 4.0 Update 2 and ensure that it is the 64bit version.

Download: vCLI 4.0 Update 2

You will need to copy the tarball to your vMA host using either UNIX/Linux scp command or WinSCP if you're on a Windows system. Once the package has been uploaded, you will login to your vMA host and you should see the package in the current working directory:
[vi-admin@kate ~]$ ls
VMware-vSphere-CLI-4.0.0-253290.x86_64.tar.gz
Now you will extract the contents of the tarball using the following command:

[vi-admin@kate ~]$ tar -zxvf VMware-vSphere-CLI-4.0.0-253290.x86_64.tar.gz
After extracting the contents, you should now have a new folder called vmware-vsphere-cli-distrib:

[vi-admin@kate ~]$ ls -l
total 18304
-rw-r--r-- 1 vi-admin root 18714362 Jun 28 10:35 VMware-vSphere-CLI-4.0.0-253290.x86_64.tar.gz
drwxr-xr-x 10 vi-admin root 4096 Apr 23 01:01 vmware-vsphere-cli-distrib
You will now cd into the vmware-vsphere-cli-distrib directory and run the installer. The first time you run this, you will get an error and you need to remove the installer db at this time to proceed with the installation:

[vi-admin@kate vmware-vsphere-cli-distrib]$ sudo ./vmware-install.pl
A previous installation of vSphere CLI has been detected.

Uninstallation of previous install failed. Would you like to remove the install
DB? [no] yes

Removing installer DB, please re-run the installer.
Note: (This is necessary since the installer script does not support a clean upgrade from what I can tell)

Once you have successfully removed the installer db, you will need re-run the previous command which will start the installation (accept all the defaults and ensure you do overwrite the utilities):

[vi-admin@kate vmware-vsphere-cli-distrib]$ sudo ./vmware-install.pl

......

The installation of vSphere CLI 4.0.0 build-253290 for Linux completed
successfully. You can decide to remove this software from your system at any
time by invoking the following command:
"/usr/bin/vmware-uninstall-vSphere-CLI.pl".

This installer has successfully installed both vSphere CLI and the vSphere SDK
for Perl.

Enjoy,

--the VMware team
After this, you now have the latest version of vCLI 4.0 Update 2 installed on your vMA host.

The biggest feature with this new release of the vCLI is the NFS datastore metrics which has been a sought after for awhile. One other feature that has not gotten too much attention in the new version of esxtop/resxtop is the power management metrics, denoted by the new "y" option.

How to configure Likewise "Open" AD intergration on vMA

Is vSphere 4.1 release really imminent?

How to install vCLI 4.0 Update 2 on vMA