I am, by no stretch of the imagination, a windows administrator. However, I do know a good thing when I see it. I don’t care for a good number of things Microsoft does (Internet Explorer….), however AD is one of the best things they’ve done, well ever.
Not only can I utilize AD logins for web apps (of any language…php, python, perl, etc), but ESX’s console operating system plays quite nicely with AD as well.
VMware has published a document about how to get it working here. However, it’s quite easy:
esxcfg-auth --enablead --addc=your.domain.controller --addomain=your.domain
With that one command, you have enabled Active Directory user authentication.
Keep in mind, however, that authentication and authorization are not the same. Just because the ESX host can determine that a user has the correct username/password combination, doesn’t mean they have access to the server.
Consequentially, users who require console access must also have a console account. To do this, we issue a few simple linux commands (you must be root to create a user)…
useradd -g root -G wheel -m ad_acct_name
To explain the above command:
- useradd – the linux command to create a new user.
- -g – the primary group for the user. Since the only personnel who should be logging into the console are competent systems administrators, and they should always have a good reason for logging in, it’s ok for them to be in root’s group. Additionally, this allows them to read some config files without having to use sudo (although write should still require sudo).
- -G – the secondary group(s) for the new user. In this case, we are adding the user to the wheel group. If sudo is configured, and it should be, then the default setting is to only allow users in the wheel group to issue sudo commands. Additionally, you should configure su to only allow users in the wheel group to become root.
- -m – this simply tells the useradd command to create the default home directory for the user. The location will be “/home/username”, and is the place the user will land when they login.
- ad_acct_name – this is the name of the user’s account in Active Directory. It should not have the domain name before it.
At this point, test out your new login…if you are standing at the physical console, press Alt-F2 to change to a different console, then attempt to login with your newly enabled AD account.
In my next post I’ll go over some basic ESX console operating system security measures.