Steps to enable the use of Active Directory accounts to open SSH sessions on ESXi 6.5 and 6.7 using the domainjoin-cli command
Article ID: 316483
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides steps to enable the use of Active Directory accounts to open SSH sessions on ESXi 6.5 and 6.7 using the domainjoin-cli command.
Symptoms:
Joining ESXi to Active Directory is successful but logins with AD accounts fail.
ESXi was joined to AD from the command line using domainjoin-cli.
Messages similar to these appear in /var/log/hostd.log when using AD accounts.
Symptoms:
Joining ESXi to Active Directory is successful but logins with AD accounts fail.
ESXi was joined to AD from the command line using domainjoin-cli.
Messages similar to these appear in /var/log/hostd.log when using AD accounts.
2020-05-21T14:53:38.350Z warning hostd[2100215] [Originator@6876 sub=Default opID=esxui-dd22-0d56] Rejected password for user domain\user from 10.10.10.10 2020-05-21T14:53:38.350Z info hostd[2100215] [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxui-dd22-0d56] Event 262 : Cannot login domain\[email protected] 2020-05-21T14:53:41.352Z info hostd[2100565] [Originator@6876 sub=Solo.Vmomi] Throw vim.fault.InvalidLogin
Environment
VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.7
Resolution
To join the ESXi host to Active Directory and to enable AD users to login using SSH:
- Open an SSH session to the ESXi host using the default root account.
- Enable the ESXi firewall rule for Active Directory by running the following command:
# esxcli network firewall ruleset set --enabled true --ruleset-id=activeDirectoryAll
- Start the likewise service by running:
# /etc/init.d/lwsmd start
- Use domainjoin-cli to join the ESXi host to the AD domain:
# /usr/lib/vmware/likewise/bin/domainjoin-cli join <domain-fqdn> <AD_admin_username>
- Edit the PAM configuration /etc/pam.d/system-auth-generic on the ESXi host to have a configuration similar to:
#%PAM-1.0 auth sufficient /lib/security/$ISA/pam_lsass.so smartcard_prompt auth sufficient /lib/security/$ISA/pam_unix.so try_first_pass likeauth nullok auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/$ISA/pam_lsass.so smartcard_prompt account sufficient /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_deny.so session sufficient /lib/security/$ISA/pam_unix.so session required /lib/security/$ISA/pam_deny.so
- Change the startup policy for Active Directory Service in vSphere Web Client under Configuration > Security Profile > Services to Start and stop with the host.
Additional Information
To get the SSH working for AD users, refer to vSphere Documentation
* "domainjoin-cli" command to join an ESXi host to an Active Directory Domain (52984)
* Steps to enable the use of Active Directory accounts to open SSH sessions on ESXi 6.5 and 6.7 using the domainjoin-cli command (2152045)
Impact/Risks:
Warning: VMware recommends using the UI when adding ESXi hosts to a domain to prevent configuration issues.
* "domainjoin-cli" command to join an ESXi host to an Active Directory Domain (52984)
* Steps to enable the use of Active Directory accounts to open SSH sessions on ESXi 6.5 and 6.7 using the domainjoin-cli command (2152045)
Impact/Risks:
Warning: VMware recommends using the UI when adding ESXi hosts to a domain to prevent configuration issues.
Feedback
Yes
No
Powered by
