No Gravatar

This post assumes you already know how to configure ESX/ESXi 4.1 for Active Directory if not this will get you up and running: http://ict-freak.nl/2010/09/12/how-to-configure-vsphere-4-1-active-directory-authentication/

3 Gotchas

1) After joining ESX/ESXi hosts to the domain and listing the group or user Administrator access login failure occurs…

-Looking in the /var/log directory output is seen referencing “ESX Admins” group during the authentication failure.

Oct  1 09:27:36 hostname lsassd[13781]: 0xf7544b90:Failed to find user or group. [Error code: 40071]
Oct  1 09:28:04 hostname nssquery: Group lookup failed for ‘YourDomain\ESX Admins’

Oct  1 09:29:04 hostname nssquery: Group lookup failed for ‘YourDomain\ESX Admins’
Oct  1 09:30:05 hostname nssquery: Group lookup failed for ‘YourDomain\ESX Admins’
Oct  1 09:32:06 hostname last message repeated 2 times
Oct  1 09:34:07 hostname last message repeated 2 times
Oct  1 09:36:08hostname last message repeated 2 times

-After creating an ESX Admins group in Active Directory then assigning this to virtual center with the Administrator right authentication worked properly.

2) If you login to an ESX/ESXi 4.1 host that is authenticated and your Ad account is a member of more than 32 security groups you will either reboot or cause on non-responsive host.  VMware knowledge base article: ESX host reboots, becomes unresponsive, or experiences a purple diagnostic screen when logging into the service console

3) After “properly” authentication with Ad credentials I noticed an issue with being stuck in a home directory of / rather than /home/%username%

-Looking into this further I found a knowledge base article on

Home directories are not automatically created for Domain Users on ESX/ESXi 4.1 hosts that are joined to an Active Directory Domain

The create-homedir codepath has been disabled on ESX/ESXi 4.1.  Attempting to configure this behavior using the/etc/likewise/lsassd.conf file will not succeed.  To configure home directories for Active Directory user accounts, the directories must be manually created.

The /etc/likewise/lsassd.conf file can be modified to detail the location of the home directories once they exist by Adding or modifying these lines:

homedir-prefix = /home
homedir-template = %H/%U

This causes the homedir-prefix = /home to set the starting point for all home directories to be /home andhomedir-template = %H/%U sets the home directory to be the homedir-prefix %H followed by the user account name %U. The variable %D can also be used to substitute the Active Directory domain name into the user’s home directory.

Run these commands in sequence to restart the lsassd daemon and clear the Active Directory cache for these settings to take effect.

  1. /etc/init.d/lsassd stop
  2. rm /etc/likewise/db/lsass-adcache.filedb
  3. /etc/init.d/lsassd start
Read More