Logging into ESXi’s Console and SSH as an Active Directory user

It is possible to login as an AD-user, once ESXi has joined to the domain, and it does use the password stored in AD.

[root@somehost ~]# ssh 10.0.0.115 -l christow@lab.somedomain.com
Password:
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see http://www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ $ id
uid=1409287390(LAB\christow) gid=1409286657(LAB\domain^users)

~ $ cat /etc/security/access.conf
+:dcui:ALL
+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
+:LAB\christow:ALL
-:ALL:ALL

UPN notation doesn’t work. You have to use NetBIOS style user principal names.

Having “+:christow@lab.somedomain.com:ALL” does not work.

You can use the NetBIOS name to log in via SSH. Protect the backslash within double quotes:

[root@somehost ~]# ssh 10.0.0.115 -l “LAB\christow”
Password:
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see http://www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ $ Connection to 10.0.0.115 closed.

Both UPN style names and NetBIOS names work on the Alt-F1 Recovery Console (no quotes and single backslash for NetBIOS name works fine.

To stop the system from replacing /etc/security/access.conf, the vicfg-user command needs to be run from a VIMA system to give “admin” access:

[vi-admin@labvma01 ~][10.0.0.115]$ vicfg-user -e user -o modify -l LAB\\christow -r admin

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: