WilliamLam.com

Search Results for: vsphere events

How to configure Likewise "Open" AD intergration on vMA

by // 10 Comments

I recently received a question about whether it was possible to configure Active Directory integration with vMA. Out of the box, this is not a feature that is available by default but can be set up. There are many articles online that provide instructions on configuring AD integration on UNIX/Linux host but they may not always be as straight forward to implement. 


While pondering about this question, I remember reading an article about the OEM partnership between Likewise and VMware, in which Likewise's authentication software will be integrated into future releases of the vSphere platform. There has also been rumors that the Likewise software will be appearing in the next release of vSphere which may provide AD integration out of the box. 

Likewise has an open source product called "Open" which integrates with UNIX, Linux and Mac systems to Microsoft Active Directory, allowing users to authenticate with their Windows domain credentials. I thought it would be interesting to see if I could get "Open" running on VMware vMA and surely it was pretty straight forward. 

1. You will need to register to download the latest version of the Likewise software which can be found here:
Note: Make sure you select the 64bit version and the non-GUI version of "Open".

2. You will now upload the installer LikewiseIdentityServiceOpen-5.3.0.7798-linux-x86_64-rpm-installer to your vMA host using either UNIX/Linux scp or WinSCP if you are on a Windows systems.

3. Set the installer to be an executable by running the following command:


[vi-admin@kate ~]$ chmod +x LikewiseIdentityServiceOpen-5.3.0.7798-linux-x86_64-rpm-installer
4. Now we will begin the installation, you will need to use sudo (accept all defaults):

[vi-admin@kate ~]$ sudo ./LikewiseIdentityServiceOpen-5.3.0.7798-linux-x86_64-rpm-installer

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:
----------------------------------------------------------------------------
Welcome to the Likewise Identity Service [Open] Setup Wizard.

----------------------------------------------------------------------------
Please read the following License Agreement. You must accept the terms of this
agreement before continuing with the installation.

Press [Enter] to continue :
Likewise Open is provided under the terms of the GNU General
Public License (GPL version 2) and the GNU Library General
Public License (LGPL version 2.1). The additional components
listed below are covered under separate license agreements:

Samba 3.0 Client libraries and tools - GPLv2
MIT Kerberos - MIT Kerberos 5 and other licenses
OpenLDAP - OpenLDAP Public License
Novell DCE-RPC - BSD
LibXML2 - BSD
libuuid from e2fsprogs - BSD
libiconv - LGPLv2
OpenSSL - BSD

For more details and for the full text for each of these
licenses, read the LICENSES and COPYING files included with
this software.

Press [Enter] to continue :

Do you accept this license? [y/n]: y

----------------------------------------------------------------------------
32-bit Compatbility Libraries

Should the 32-bit compatibility libraries be installed? These are only needed if 32-bit programs will be accessing the Likewise authentication code. If you do not know the answer, just leave it as "Auto".

[1] Auto
[2] Yes
[3] No
Please choose an option [1] :

----------------------------------------------------------------------------
Setup is now ready to begin installing Likewise Identity Service [Open] on your computer.

Do you want to continue? [Y/n]: y

----------------------------------------------------------------------------
Please wait while Setup installs Likewise Identity Service [Open] on your computer.

Installing
0% ______________ 50% ______________ 100%
######################################Info: Likewise
--------

To join an Active Directory domain using a command-line interface, run:

/opt/likewise/bin/domainjoin-cli

Press [Enter] to continue :
###
5. Once the setup has finished, you will want to edit the lsassd.conf configuration file. The two changes that you will be making are:

  • Allow a user to login to vMA without having to specify the username and the full domain (e.g. username@domain@vmahost)
  • Changing the default login shell from /bin/sh to /bin/bash

Start by editing /etc/likewise/lsassd.conf

  • uncomment "assume-default-domain = yes"
  • change "login-shell-template = /bin/sh" to "login-shell-template = /bin/bash"

[vi-admin@kate ~]$ sudo vi /etc/likewise/lsassd.conf
Note: If you are using a newer version of "Open" where lsassd.conf no longer exists, please take a look at the "Open" documentation on updating the configurations listed above - http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html

6. Before we join the vMA host to the Active Directory server, ensure that DNS is properly configured and that both forward and reserve lookups are correct on the vMA host.

[vi-admin@kate ~]$ host kate
kate.primp-industries.com has address 172.30.0.189

[vi-admin@kate ~]$ host 172.30.0.189
189.0.30.172.in-addr.arpa domain name pointer kate.primp-industries.com.
7. We will now join the vMA host to an AD server. The syntax will be "domainjoin-cli join [domain] [username]"

[vi-admin@kate ~]$ sudo domainjoin-cli join primp-industries.com Administrator

Joining to AD Domain: primp-industries.com
With Computer DNS Name: kate.primp-industries.com

*protected email*'s password:
Warning: System restart required
Your system has been configured to authenticate to Active Directory for the first time. It is recommended that you restart your system to ensure that all
applications recognize the new settings.

Warning: Unknown pam module
The likewise PAM module cannot be configured for the wbem service. This services uses the '$ISA/pam_unix.so' module, which is not in this program's list of
known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Warning: A resumable error occurred while processing a module
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.

SUCCESS
Note: Do not worry about the warning message, it is normal and you do not need to restart the system for the changes to take effect.

If you have any issues trying to join a domain, you can enable logging which can be helpful for troubleshooting. To do so, you will specify two additional parameters which will denote the log level and where to output the log, whether that is to the console or to a file

[vi-admin@kate ~]$ sudo domainjoin-cli --loglevel verbose --logfile joindomain.log join primp-industries.com administrator
Joining to AD Domain: primp-industries.com
With Computer DNS Name: kate.primp-industries.com

*protected email*'s password:
Warning: Unknown pam module
The likewise PAM module cannot be configured for the wbem service. This services uses the '$ISA/pam_unix.so' module, which is not in this program's list of
known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Warning: A resumable error occurred while processing a module
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.

SUCCESS
From the above example, you should have a new log file created called joindomain.log

8. To verify that you have successfully joined the domain, you can run the following command to query:

[vi-admin@kate ~]$ sudo domainjoin-cli query

Name = kate
Domain = PRIMP-INDUSTRIES.COM
Distinguished Name = CN=KATE,CN=Computers,DC=primp-industries,DC=com
9. Before you try to login with a user in the domain, you need to reload the configuration changes that were made earlier. To do so, you will execute the following:

[vi-admin@kate ~]$ sudo /opt/likewise/bin/lw-refresh-configuration

Configuration successfully loaded from disk.
10. Now, we will test a login using an account on the AD server:

[vi-admin@kate ~]$ ssh primp@localhost
Password:
Your password will expire today

Welcome to vMA
run 'vma-help' or see http://www.vmware.com/go/vma4 for more details.

[primp@kate ~]$ pwd
/home/local/PRIMP-IND/primp
We can also verify this user on the AD Server by running the following query:

Default level 0 info

[vi-admin@kate ~]$ /opt/likewise/bin/lw-find-user-by-name primp

User info (Level-0):
====================
Name: primp
SID: S-1-5-21-503341760-968948550-2164105906-1105
Uid: 1058014289
Gid: 1058013696
Gecos: primp primp
Shell: /bin/bash
Home dir: /home/local/PRIMP-IND/primp
Logon restriction: NO
level 2 info

[vi-admin@kate ~]$ /opt/likewise/bin/lw-find-user-by-name primp --level 2

User info (Level-2):
====================
Name: primp
SID: S-1-5-21-503341760-968948550-2164105906-1105
UPN: *protected email*
Generated UPN: NO
DN: CN=primp primp,CN=Users,DC=primp-industries,DC=com
Uid: 1058014289
Gid: 1058013696
Gecos: primp primp
Shell: /bin/bash
Home dir: /home/local/PRIMP-IND/primp
LMHash length: 0
NTHash length: 0
Local User: NO
Account disabled (or locked): FALSE
Account expired: FALSE
Password never expires: TRUE
Password expired: FALSE
Prompt for password change: YES
User can change password: YES
Days till password expires: 0
Logon restriction: NO
To unjoin and leave the domain, you will use the following:

To preview the files that will require changes for leaving a domain use

[vi-admin@kate ~]$ sudo domainjoin-cli leave --advanced --preview

Leaving AD Domain: PRIMP-INDUSTRIES.COM
[F] DDNS - Configure Dynamic DNS Entry for this host
[X] [S] ssh - configure ssh and sshd
[X] [N] pam - configure pam.d/pam.conf
[F] nsswitch - enable/disable Likewise nsswitch module
[X] [N] krb5 - configure krb5.conf
[X] [N] stop - stop daemons
[X] [N] leave - disable machine account
[F] keytab - initialize kerberos keytab

Key to flags
[F]ully configured - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
requirements for this step
[N]ecessary - this step must be run or manually performed.

[X] - this step is enabled and will make changes
[ ] - this step is disabled and will not make changes
To confirm and leave the domain, use

[vi-admin@kate ~]$ sudo domainjoin-cli leave

Leaving AD Domain: PRIMP-INDUSTRIES.COM
SUCCESS

All Likewise utilities are installed under /opt/likewise/bin and for more information on these utilities and how to use them, check out the Likewise documentation here.

UPDATE:
The instructions above can also be used to setup "open" on classic ESX w/Service Console, ESXi will not work however.

The vStorage API, do you really know what it is?

by // 2 Comments

I’ve seen this question posed quite a few times both in the VMware developer and VMTN forum asking what exactly is the vStorage API?

So what is it?

If your answer was VMware marketing term, then you win 50 Schrute Bucks!

The VMware vStorage API is actually a blanket umbrella term that encompasses 4 separate individual APIs, all with different functionalities:

  1. vStorage API for Data Protection (VADP)
  2. vStorage API for Site Recovery Manager (VASRM)
  3. vStorage API for Multi-pathing (VAMP)
  4. vStorage API for Array Integration (VAAI)

I’m actually going to quote one of Chad Sakac’s reply on a blog about these 4 APIs as he has done a great job of explaining the differences:

1) vStorage API for Data Protection – a set of APIs focused on local backup/recovery use cases.

2) vStorage APIs for Site Recovery Manager – a set of APIs focused on array vendor remote replication such that they can be orchestrated by Site Recovery Manager.

3) vStorage APIs for Multipathing (otherwise known as the Pluggable Storage Architecture). A set of APIs for 3rd parties to extend vSphere’s core multipathing architectures.

4) vStorage APIs for Array Integration (VAAI). Technically not in vSphere 4, but have been discussed in VMworld events in the past. Will be available in future vSphere-generation releases. This allow array vendors to “offload” various tasks from the ESX host’s vmkernel stack – things like writing blocks that make up VMs, copying/snapshotting blocks, doing thin-provisioning out of space handling, and also a much more advanced global locking mechanism than VMFS uses today. These each will make common actions 5x-10x faster (clone, deploy from template, create a FT VM), and improve VMFS scaling by an order of magnitude. More on that here, for folks that are interested (note that when I wrote this, vStorage API for Data Protection was called the VCB Backup Framework)

Generally when the vStorage APIs are brought up, most people think about backups and the new Change Block Tracking feature in vSphere. That is because VMware and other 3rd party backup vendors has done a good job of marketing this "must have" feature. Leveraging Change Block Tracking helps decrease the duration of a backup by only copying the blocks that have changed and some users have seen up to 5-10x increase in speed.

This is great! But now you might ask the question, how do I use vStorage API for Data Protection and how does it tie into VMware's VCB product? Both the vStorage API for Data Protection and VCB are backup API frameworks, they are similar in functionality but different in features (for a break down of the two, take a look at this VMware blog post). VADP will be pretty much hidden from the end user's perspective, you just need to ensure that backup vendors are implementing it and utilizing Change Block Tracking to efficiently backup your VMs. VADP is only available in vSphere and not in VI 3.5.

If you want to write your own backup application, then you will need to know how to hook into VADP. As far as I understand today, and correct me if I'm wrong, the vStorage API for Data Protection is actually the combination of the vSphere 4.0 API + VMware Virtual Disk Development Kit (VDDK) which are both available to users to develop against. There's actually a guide within the VDDK page on Designing Backup Solutions for VMware vSphere which goes into great detail on creating a backup solution using the Change Block Tracking feature.

The three other APIs (VASRM, VAMP and VAAI) are targeted at third party hardware/software vendors and storage array providers to hook in their special sauces with the various VMware solutions. This includes hooking into Site Recovery Manager, PSA (Pluggable Storage Architecture) plugins and offloading VMware operations such as VM cloning and storage vMotions, etc. onto the actual storage array. These APIs are only exposed to partners who provide solutions to one of these features and are not available to the public for general use.

I personally think vStorage API is going to be a game changer and Change Block Tracking is just one of the many cool features to come!

Hopefully this all made sense and if you're interested to learn more about the vStorage API and some of the upcoming features, take a look at these additional resources:

http://www.ntpro.nl/blog/archives/1461-Storage-Protocol-Choices-Storage-Best-Practices-for-vSphere.html
http://virtualgeek.typepad.com/virtual_geek/2008/09/so-what-does-vs.html
http://www.vmware.com/products/vstorage-apis-for-data-protection/
http://www.yellow-bricks.com/2009/03/19/pluggable-storage-architecture-exploring-the-next-version-of-esxvcenter/