Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 743
  • Last Modified:

How to Add vMa 5.1 in AD ..to get login with domain ids for particulate domain group

Recently We have configured vMA 5.1.

Need help to join vMa 5.1 in Domain: abc.com
but have to make sure ,like in domian..Users from Group ESX Admin can only have login to vma,
Please advice for required config to be done, so that All users form domain group ESX Admin can login to vMA ?

 and any config required to get the vma ping/access with name also, now able to access using ip only.
0
patron
Asked:
patron
  • 13
  • 12
4 Solutions
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You will need to add the vMA host to your Active Directory domain using the domainjoin-cli join command.

http://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vma.doc_50%2Fvima_get_start.4.8.html

This article covers it fully

http://www.virtuallyghetto.com/2010/11/how-to-configure-and-use-vmas-vi.html
0
 
patronAuthor Commented:
Thanks.
I have added vMa 5.1 to Ad Domain.
now i need that specific user or users part of ad group named ESX Admin can only have access on vma ?

also domain user should be able to run command as we can run using vi-admin ?

so need help to configure same @vMA, so that all domain should not be bale to login and use vma command
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Are you using adauth, and have you created the ESX Admins group?

Have you also tested adauth, by logging into an ESXi server using an AD Account?

You should only be able to login with an AD Account, if your username is in this group?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
patronAuthor Commented:
i have group name ESX Admins in Ad, that is fine for esx host

but now i need same config for vMA as well

how can we make sure that domain user from ad group esx admins can only have login access to vMA 5.1 [not esxi ]

will there be any config required there in vMa for any sudors file or any other config file to =define user/group level access?

as in esxi case we have option there in gui to give ad group name,but here we need this for vMA 5.1
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
So, have you tried logging into to vMA as an AD user in the ESX Admins group, and not in the ESX Admins group ?

So you want different users to be able to login to ESXi and vMA ?

e.g. two different AD groups ?
0
 
patronAuthor Commented:
Ad group is same ESX Admins

as on esxi host : users of this group:ESX Admins can only have login to esxi host and thay are by default part of root access right ?

Now i need same config to be done with vMA Appliance ?

my need is all users form Group ESX Admins can only have login and work access on vMA, as same as it is configured for vi-admin in vMa ?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
can you login on your vMA server with an AD Account in the AD Group  ESX Admins ?
0
 
patronAuthor Commented:
m able to login with all account form AD?
while i needlogin should work for esx admin group form ad?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You can login to vMA from any account in AD?

You should only be able to login if your user account is in the ESX Admin group?

If you login to ESXi, can anyone from AD login ?

did you add the ESXi host to vMA using  adauth ?

did you also follow this....

http://www.virtuallyghetto.com/2010/07/vma-41-active-directory-intergration.html
0
 
patronAuthor Commented:
Thanks,but my concern is right now all user form ad domain are able to login into vMa using domain ID ?

while i need users form Esx Admin Gorup should only be able to login into vMA and be able to run command as we run using vi-admin account ?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
did you complete the additional configuration, in this...

http://www.virtuallyghetto.com/2010/07/vma-41-active-directory-intergration.html
0
 
patronAuthor Commented:
Thanks,will have look for this,but where we have to give that group name esx admin in vMa config ?

so that users form ad group" ESx admin can only have login and work access on vMAas we have for vi-admin ?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
By Adding ESXi and vCenter Servers to vMA using adauth.
0
 
patronAuthor Commented:
fine,but i need this to be make sure for vMA login  only, as my host are already configured in domain with having access for ESX ADMIN group only
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Let me know when you go through the links.
0
 
patronAuthor Commented:
yes i have done this config ,given in url
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
so any AD user can login into vMA ?

can any AD user login into ESXi ?
0
 
patronAuthor Commented:
any AD user can login into vMa.
but in Esxi  AD user form Group named Esx Admins can have login

so i need this to be rectified for vMa ?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
have you checked, that only users in the AD Group ESX Admins can login to ESXi ?

also can I have the output from...

sudo vifp listservers -l

run the above as vi-admin and AD user.
0
 
patronAuthor Commented:
All Users form AD can not login to Esxi host using putty, Users form ad group named  ESx Admins can login to Esxi using putty

but in case of vMa Login via Putty-all from Ad can have login using domain id ?

so i am looking for config like only user form esx admin group can login into vMa

 and out put for vifp listservers -l is same for all like vi-admin,user from ad and user form ad group named esx admin

but if i add any server using any of ad id, saying u dont have permission ?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
The ESXi Host obtains it's permission list from ESX Admins.

When adding vMA to AD, as a machine, all AD users can login but they will not be able to execute commands, because they are not in the sudoers list.

Add the the following to the /etc/sudoers file

%Domain\\ESX\ Admins ALL=(ALL) ALL

members of the ESX Admins group will be able to perform admin function on ESXi and vCenter Server.

Also to prevent all AD users from accessing and logging into vMA, you will need to change the following file

/etc/likewise/lsassd.conf

and you will need to add a line

require-membership-of = DOMAIN\ESX Admins

and you will need to restart the config with

sudo /opt/likewise/bin/lw-refresh-configuration

The above commands and configuration, should prevent anyone logging into vMA, which is not in the Domain\ESX Admin group and allow users of the Domain\ESX Admin group executing commands.
0
 
patronAuthor Commented:
not allowing to edit  n save sudoers or any other file, even m logged in with vi a-dmin

also tried with sudo vi sudoers-no luck ? E45:read-only option i set


 and is it require to give domain name like abc.com in place of %Domain
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
you must prefix the domain with %

the file is ready only....

but if you exit vi

with

w!

that should write the file.
0
 
patronAuthor Commented:
All done, Great .Thanks a lot.
0
 
patronAuthor Commented:
Thanks a lot.
0

Featured Post

Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 13
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now