WilliamLam.com

vMA 4.1 - Authentication Policy (fpauth vs adauth)

by // 5 Comments

I recently wrote an article about vMA 4.1 and Active Directory Integration and today I noticed there were some confusion on the expected behavior of the two types of authentication policy: vi-fastpass authentication versus Active Directory authentication. There are actually a few things to consider:

  • What user context are you trying to execute a command against a target?
  • What authentication policy was used to add the target to vMA?
  • Is vMA host joined to an Active Directory Domain?
USER CONTEXT FPAUTH or ADAUTH vMA in AD DOMAIN
vi-admin fpauth no
DOMAIN\username adauth yes

I will try to explain the following two scenarios listed above.

In this example, vMA was not joined to an Active Directory Domain and we are adding a vCenter target to vMA using a local administrator account on vCenter server (by default, fpauth is assumed):

[vi-admin@tancredi ~]$ sudo vifp addserver manaslu.primp-industries.com
Enter username for manaslu.primp-industries.com: administrator
*protected email*'s password:
This will store username and password in credential store which is a security risk. Do you want to continue?(yes/no): yes

We can verify the target was added using fpauth by running the following command:

[vi-admin@tancredi ~]$ vifp listservers -l

esx4-1.primp-industries.com ESX fpauth
esxi4-3.primp-industries.com ESXi fpauth
manaslu.primp-industries.com vCenter fpauth

Next, we will set the fastpass target to the newly added vCenter server:

[vi-admin@tancredi ~]$ vifptarget -s manaslu.primp-industries.com

[vi-admin@tancredi ~][manaslu.primp-industries.com]$

If we run "esxcfg-nics -l" against an ESX(i) host that is being managed by this vCenter, we would do the following (note: user context is vi-admin):

[vi-admin@tancredi ~][manaslu.primp-industries.com]$ esxcfg-nics -l --vihost esxi4-3.primp-industries.com

Name PCI Driver Link Speed Duplex MAC Address MTU Description
vmnic0 02:00.0 e1000 Up 1000Mbps Full 00:50:56:ac:69:95 1500 Intel Corporation PRO/1000 MT Single Port Adapter

In this first example, we are relying solely on vi-fastpass authentication, where a vi-adminXX account is created on the target. The credentials to this account is generated by vMA and stored in the local credential store.

In this example, vMA has been joined to an Active Directory Domain and we are adding a vCenter target using Active Directory credentials:

[vi-admin@tancredi ~]$ sudo vifp addserver reflex.primp-industries.com --authpolicy adauth
Enter username for reflex.primp-industries.com: PRIMP-IND\primp

Note: As of writing this, there is a typo in vMA 4.1 documentation on the syntax to use when specifying the username when prompted. You will need to use DOMAIN\username, if you decide to use the --username, then you need to add a second "slash" to escape the first (e.g. DOMAIN\\username)

We can verify the target was added using adauth by running the following command:

[vi-admin@tancredi ~]$ vifp listservers -l

esx4-1.primp-industries.com ESX fpauth
esxi4-3.primp-industries.com ESXi fpauth
manaslu.primp-industries.com vCenter fpauth
reflex.primp-industries.com vCenter adauth

Next, we will set the fastpass target to the newly added vCenter server but before we do so, we need to login to vMA using a valid Active Directory account.

[primp@tancredi ~]$ vifptarget -s reflex.primp-industries.com

[primp@tancredi ~][reflex.primp-industries.com]$

Now if we run "esxcfg-nics -l" against an ESX(i) host that is being managed by this vCenter, we would do the following (note: user context is DOMAIN account):

[primp@tancredi ~][reflex.primp-industries.com]$ esxcfg-nics -l --vihost himalaya.primp-industries.com

Name PCI Driver Link Speed Duplex MAC Address MTU Description
vmnic0 06:00.0 e1000e Up 1000Mbps Full 00:30:48:d9:58:6a 1500 Intel Corporation 82574L Gigabit Network Connection
vmnic1 07:00.0 e1000e Down 0Mbps Half 00:30:48:d9:58:6b 1500 Intel Corporation 82574L Gigabit Network Connection

In this second example, we are relying solely on Active Directory authentication, where credentials of the user that is logged into vMA are being used. Unlike in the first example, if you were in the vi-admin context and tried to execute the same command, you will notice you are prompted for credentials. This is the intended and expected behavior of the two scenarios.

However, if you do not want to join vMA to an Active Directory Domain but would still like to perform an unattended authentication from vi-admin context, then you need to setup a Kerberos ticket for the target. The details on configuring this is outlined in vMA 4.1 user guide, please refer to the document for more details.

One thing to note which I actually ran into, is that when you join your vMA host to Active Directory Domain, you must reboot vMA after joining to the domain. If you do not, you will run into issues when trying to add a target using adauth authentication policy.

resxtop & vi-fastpass Downgraded Feature In vMA 4.1

by // 4 Comments

For those that use VMware's vMA vi-fastpass authentication (vifpinit which is now vifptarget) which allows a user to perform an operation on an ESX(i) or vCenter host without having to provide credentials each time, may notice a change with the resxtop command. In vMA 4.0, if you initialized a fastpass target you could run resxtop against the host without having to provide additional credentials to the host.

In vMA 4.1, this functionality has actually been downgraded, that is right, a feature de-enhancement.

As you can see, even if you have initialized a fastpass target, you will need to specify both the username and password each time you call resxtop. resxtop only supports manual credentials and does not support other types of authentication mechanisms such as a configuration file, session file or passthrough auth. This can definitely slow things down if you are trying to troubleshoot multiple hosts and want to switch between them utilizing the fastpass authentication.

What is actually more interesting is this seems to be a feature that has been in the works over the 3 major releases of vMA, which was formally known as VIMA. Let's take a trip down memory lane regarding this feature in the vMA/VIMA release notes:

VIMA 1.0 - Oct 27, 2008 - Feature not supported and marked as a known issue.

vMA 4.0 - May 21, 2009 - Feature supported but may run into an issue with non-fastpass targets which has been resolved in this release.

vMA 4.1 - July 13, 2010 - Feature has been removed, requires both --username and --password each time.

 
Even though I consider this a bug, VMware did document this change as a "known issue" in the release notes. I am not sure if this feature will be resolved in a future release, but it just seems odd that we are taking one step backwards in terms of functionality.

vMA 4.1 - Active Directory IntegrationTip

by // 6 Comments

The latest release of vMA 4.1 now supports Active Directory integration which can be used to centralize all authentication within a Windows environment. To join a vMA host to your Active Directory domain, you just need to use one simple command called domainjoin-cli which is part of Likewise's "Open" product.

Here is an example of vMA host joining an AD domain:

By default, Likewise "Open" is configured to not assume the current Active Directory Domain as the default. This means if you are authenticating against vMA via SSH connection, you will need to specify both the username and the full domain. (e.g. ssh *protected email*@vMA-host)

Here is an example of logging into vMA using AD credentials:

This can be pretty tedious to type out everytime, especially if you have a very long domain name. However, this can be easily modified to assume the default domain.

You will need to edit /etc/likewise/lsassd.conf and uncomment "assume-default-domain = yes" and then save your changes:

sudo vi /etc/likewise/lsassd.conf

You will need to reload the configurations for the changes to take effect by running the following utility:

sudo /opt/likewise/bin/lw-refresh-configuration

Now, you can login by just specifying the username without having to provide the full AD domain name.

I actually wrote an article about a month ago on configuring Likewise "Open" AD intergration on vMA before the release of vSphere 4.1. The article goes through the process of setting up "Open" on vMA 4.0 and also documents the change of the default domain. For more Likewise commands and details, check out the article above.

Update1:
If you would like to add an AD group to sudoers file, you need to edit /etc/sudoers file. You need to make sure you escape the initial forward slash and any white spaces that maybe in the group name. In this example, we have a group called "VI Admins" that you would like all users to be able to login to vMA using their AD credentials and perform operations using sudo.

1. Edit /etc/sudoers using vi-admin account, make sure you use 'sudo':

[vi-admin@kate ~]$ sudo vi /etc/sudoers

2. Add the following towards the bottom of the file:

%PRIMP-IND\\VI\ Admins ALL=(ALL) ALL

Note: We're escaping both the initial forward slash and the space

3. Verify user can now sudo by querying sudo operatoins the user is allowed to execute:

[primp@kate ~]$ id
uid=1058014289(primp) gid=1058013696(domain^admins) groups=1058013696(domain^admins),1058014440(vi^admins)

[primp@kate ~]$ sudo -l
Password:
User primp may run the following commands on this host:
(ALL) ALL