WilliamLam.com

Using PowerCLI to automate the retrieval of VCSA Password Policies

by // Leave a Comment

I hope that every vSphere administrator or operator by now is familiar with the extremely powerful vSphere Guest Operations API functionality (details here and here), which can easily be consumed using PowerCLI's Invoke-VMScript cmdlet. If not, highly recommend you check out the links referenced. I know the GuestOps API is certainly my top favorite with sending VM keystrokes capability a very close second!

Not only does the GuestOps API unlock functionality that simply may not be possible (e.g. there's no API or automation interface) but it also enables automation within a VM without requiring any type of remote management services enabled (e.g. SSH or WinRM) or even networking to the VM for that matter!

The reason I am bringing all this up is that although there is not an API for managing and retrieving vCenter Single Sign-On (SSO) configurations which includes password policies, there is a way in which customers can still automate and retrieve this and other information by leveraging the GuestOps API. In fact, back in 2015 I demonstrated on how you can retrieve VCSA SSO password policy and configurations and we can simply apply the GuestOps API to help us automate this task. In addition, most customers do not enable SSH by default and we can still apply the GuestOps API technique and perform automation tasks to VSCSA without requiring SSH as described in this blog post back in 2016.

[Read more...]

Is a DNS server still required when using a Static IP for VCSA?

by // 7 Comments

When deploying a vCenter Server Appliance (VCSA), customers have two options for setting up a static network address: using either a hostname (Fully Qualified Domain Name) or just a static IP Address (e.g. no DNS). In the first option when using an FQDN, it should be no surprise that you need to also specify a valid DNS Server which the VCSA UI/CLI Installer will automatically validate both the forward and reverse address. This is the most common deployment model for customers in both production as well as for development environments such as a vSphere home lab.

In the second scenario, where a static IP Address is used, a DNS server is not required because we are NOT using an FQDN for the hostname but rather an IP Address. Having said that, if you have ever used the VCSA UI or CLI, you will find that the DNS Server entry is actually a required field and you can not proceed without providing an address.

VCSA UI Installer:

VCSA CLI Installer:

"network": {
    "ip_family": "ipv4",
    "mode": "static",
    "ip": "192.168.30.151",
    "dns_servers": [
        "192.168.30.1"
    ],
    "prefix": "24",
    "gateway": "192.168.30.1",
    "system_name": "192.168.30.151"
}

As mentioned earlier, we know that it should not be required but currently the VCSA Installer is a bit overly cautious in its pre-checks and does require a value today. This is something that has already been shared internally and the team will be relaxing this requirement in the future.

With that said, this leads us back to the original question posed in the blog title, do we need a valid DNS server when using a static IP for the VCSA?

[Read more...]

Enabling shell access for Active Directory users via SSH to vCenter Server Appliance (VCSA)

by // 5 Comments

I had a question the other day on whether it was possible to enable shell access for Active Directory users when logging into the vCenter Server Appliance (VCSA) via SSH? The answer is yes and though this is documented here, it is not very clear whether this is only applicable to SSO-based users only. In any case, the process to enable this is pretty straight forward and simply requires two steps which I have outlined below.

Step 0 - Ensure that your VCSA and/or PSC is joined to Active Directory before proceeding to the next step. If not, take a look at the documentation here for more details.

Step 1 - Login to vSphere Web Client and under Administration->System Configuration->Nodes->Manage->Settings->Access, go ahead and enable boh SSH and bash shell options. The first setting turns on SSH to the VCSA and the second setting allows users (local, SSO and AD) to access the shell on the VCSA.


Step 2 - In the vSphere Web Client and under Administration->Single Sign-On->Users and Groups->Groups, select the SystemConfiguration.BaseShellAdministrators group and add either an AD User and/or Group that you wish to allow to access the shell.


Once you have completed the steps above, you can now SSH to your VCSA/PSC using the AD user (UPN format) that you had authorized earlier. In the example below, I am logging into one of my VCSA using user *protected email* and as you can see, I am placed into the appliance shell by default.


At this point I can access all the appliancesh commands just like I normally would if I had logged as a root or *protected email*.

If we wish to change to bash shell, we simply just type "shell" which will enable shell access, assuming you had performed Step 2.


One thing that I noticed is that the default home directory for the AD user is /var/lib/nobody and apparently that does not exists by default, so users end up in / directory by default after enabling shell access. I am not sure if this is also related, but the username shows up as nobody as you can see from the prompt. This is something I will share with Engineering to see if we can improve upon as I am sure most of you would rather see the user that is actually logged in.

The good news from an auditing and logging standpoint is that for operations that are logged, it does properly show the username even though the prompt is showing up as nobody.

[Read more...]