Wednesday, July 6, 2011

Adding your VMWare ViMA to Active Directory

This lesson will cover the step of adding your ViMA to Active Directory. This tutorial builds on the previous tutorial, "Setting up a VMWare VMA - Initial setup" located here. You may also wish to download PuTTy (used extensively in this tutorial). You can get it here.

As a note - I did not find AD integration to be particularly helpful in using APCUPSD. I've left this article here in case someone has need of it or someone can help me figure out what I did wrong. ;) I have switched to fastpass authentication for the APCUPSD stuff.

Upgrade LikeWise


media_1309993346822.png
This was initially done as a diagnostic step when I was having issues with ViMA. I've added it here as a standard procedure - mostly because I like to have the most recent stuff when I attempt to do things. There's a very good blog post on upgrading LikeWise here. The basics are pretty simple, though. From the blog post (in case it is down - not to steal from his work!):

Check out your current version:
$ sudo rpm -qa | grep likewise
Obtain latest version of LikeWise Open here
Download the latest version:
$ wget <<link provided by LikeWise email>>
(get the 64 bit version)
Remove the current version:
$ sudo rpm -e `rpm -qa | grep likewise`
Run the script:
$ sudo chmod 755 LikewiseOpen-6.0.0.8360-linux-x86_64-rpm.sh
$ sudo sh LikewiseOpen-6.0.0.8360-linux-x86_64-rpm.sh

Answer yes to any prompts, don't worry about the libglade error at the end - that is for the gui version of LikeWise, and we won't be using that here.


Add Your ViMA to Active Directory


media_1309994670280.png
Type the following command:
sudo domainjoin-cli join <<domain>> <<domain admin account>>

I have received the above error (or one like it) every time I have run domainjoin-cli join. It is my understanding that it is not important. If, however, you dislike untidy warnings, you can move the offending PAM module out of the /etc/pam.d directory, rerun domainjoin-cli and put the pam module back afterwards. I followed the recommendation at the bottom of this thread. Again, in the interest of not having a dead link:


2 things to try:
1) remove the software that installed it.
2) move /etc/pam.d/wbem to a temporary location during the join, and move it back when completed (this may require hand-modifications to add pam_lsass to the module)
Here’s my file for comparison:
#&#xPA;M-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_lsass.so try_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_lsass.so unknown_ok
account sufficient /lib/security/pam_lsass.so
account required /lib/security/pam_unix.so
password sufficient /lib/security/pam_lsass.so
password required /lib/security/pam_lwipasspolicy.so
password required /lib/security/pam_cracklib.so retry=3 type= try_first_pass use_authtok
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session sufficient /lib/security/pam_lsass.so
Signature
Robert Auch
Project Manager, Deployments
Likewise Software, Inc.


Verify Active Directory Membership


media_1309995552271.png
Run the following command:
sudo domainjoin-cli query

You should see verification that your ViMA has been added to Active Directory.

Add your ESX(i) server to Active Directory as well by following some additional steps here