Steps to enable the use of Active Directory accounts to open SSH sessions on ESXi 6.5 and 6.7 using the domainjoin-cli command
search cancel

Steps to enable the use of Active Directory accounts to open SSH sessions on ESXi 6.5 and 6.7 using the domainjoin-cli command

book

Article ID: 316483

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides steps to enable the use of Active Directory accounts to open SSH sessions on ESXi 6.5  and 6.7 using the domainjoin-cli command.

Symptoms:

  • Joining ESXi to Active Directory is successful, but logins with Active Directory accounts fail.
  • ESXi was joined to Active Directory from the command line using domainjoin-cli.
  • Messages similar to these appear in /var/log/hostd.log when using Active Directory accounts. 
    • [YYYY-MM-DDTHH:MM:SS] warning hostd[2100215] [Originator@6876 sub=Default opID=esxui-dd22-0d56] Rejected password for user domain\user from ##.##.##.## 
      [YYYY-MM-DDTHH:MM:SS] info hostd[2100215] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxui-dd22-0d56] Event 262 : Cannot login domain\user@##.##.##.## 
      [YYYY-MM-DDTHH:MM:SS] info hostd[2100565] [Originator@6876 sub=Solo.Vmomi] Throw vim.fault.InvalidLogin

Environment

VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.7

Resolution

To join the ESXi host to Active Directory and to enable AD users to log in using SSH:
 

  1. Open an SSH session to the ESXi host using the default root account.

  2. Enable the ESXi firewall rule for Active Directory by running the following command: 
    # esxcli network firewall ruleset set --enabled true --ruleset-id=activeDirectoryAll
  3. Start the likewise service by running: 
    # /etc/init.d/lwsmd start
  4. Use domainjoin-cli to join the ESXi host to the AD domain: 
    # /usr/lib/vmware/likewise/bin/domainjoin-cli join <domain-fqdn> <AD_admin_username>
  5. Edit the PAM configuration /etc/pam.d/system-auth-generic on the ESXi host to have a configuration similar to: 
    #%PAM-1.0

auth sufficient /lib/security/$ISA/pam_lsass.so smartcard_prompt
auth sufficient /lib/security/$ISA/pam_unix.so try_first_pass likeauth nullok
auth required /lib/security/$ISA/pam_deny.so

account sufficient /lib/security/$ISA/pam_lsass.so smartcard_prompt
account sufficient /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_deny.so

session sufficient /lib/security/$ISA/pam_unix.so
session required /lib/security/$ISA/pam_deny.so
  6. Change the startup policy for Active Directory Service in vSphere Web Client under Configuration > Security Profile > Services to Start and stop with the host.





Additional Information

Warning: VMware recommends using the UI when adding ESXi hosts to a domain to prevent configuration issues.

Powered by Wolken Software