Comments on: WinBind authentication with VMware host http://itknowledgeexchange.techtarget.com/itanswers/winbind-authentication-with-vmware-host/ Fri, 27 Nov 2009 21:10:24 +0000 http://wordpress.org/?v=2.6.2 By: AdamJB http://itknowledgeexchange.techtarget.com/itanswers/winbind-authentication-with-vmware-host/#comment-62194 AdamJB Mon, 13 Apr 2009 22:17:36 +0000 #comment-62194 We've been using VMware on Linux Hosts and using AD Authentication for the past couple of years, with great success on both VMware Server 1 & 2. If you already have your Winbind/Samba configuration working and all you need is a working vmware-authd pam file, here is what we use: auth sufficient pam_unix.so shadow nullok auth sufficient pam_winbind.so use_first_pass cached_login account sufficient pam_unix.so account sufficient pam_winbind.so cached_login The 'cached_login' parameter allows Winbind to use cached account info, which allows a domain account that has previously logged in to log in when no domain controllers are available. We found during testing that if Domain Controllers are unavailable, Winbind would not switch to offline mode reliably on it's own. So, we created a simple script to check LDAP connectivity to Domain Controllers, and set Winbind to online or offline mode depending on whether or not the DCs are available. The script is scheduled to run once per minute via cron: DC1=`nmap -sS -p 389 10.2.1.21|grep open|wc -l` DC2=`nmap -sS -p 389 172.21.2.2|grep open|wc -l` WINBINDONLINE=`smbcontrol winbindd onlinestatus|grep 'AINET:Online'|wc -l` if [ "$DC1" -eq "1" -o "$DC2" -eq "1" ]; then if [ "$WINBINDONLINE" -eq "0" ]; then smbcontrol winbindd online echo `date` - Switching winbindd to online mode >> /var/log/samba/smbcontrol fi else if [ "$WINBINDONLINE" -eq "1" ]; then smbcontrol winbindd offline echo `date` - Switching winbindd to offline mode >> /var/log/samba/ smbcontrol fi fi We’ve been using VMware on Linux Hosts and using AD Authentication for the past couple of years, with great success on both VMware Server 1 & 2.

If you already have your Winbind/Samba configuration working and all you need is a working vmware-authd pam file, here is what we use:

auth sufficient pam_unix.so shadow nullok
auth sufficient pam_winbind.so use_first_pass cached_login
account sufficient pam_unix.so
account sufficient pam_winbind.so cached_login

The ‘cached_login’ parameter allows Winbind to use cached account info, which allows a domain account that has previously logged in to log in when no domain controllers are available.

We found during testing that if Domain Controllers are unavailable, Winbind would not switch to offline mode reliably on it’s own. So, we created a simple script to check LDAP connectivity to Domain Controllers, and set Winbind to online or offline mode depending on whether or not the DCs are available. The script is scheduled to run once per minute via cron:

DC1=`nmap -sS -p 389 10.2.1.21|grep open|wc -l`
DC2=`nmap -sS -p 389 172.21.2.2|grep open|wc -l`
WINBINDONLINE=`smbcontrol winbindd onlinestatus|grep ‘AINET:Online’|wc -l`

if [ "$DC1" -eq "1" -o "$DC2" -eq "1" ]; then
if [ "$WINBINDONLINE" -eq "0" ]; then
smbcontrol winbindd online
echo `date` - Switching winbindd to online mode >> /var/log/samba/smbcontrol
fi
else
if [ "$WINBINDONLINE" -eq "1" ]; then
smbcontrol winbindd offline
echo `date` - Switching winbindd to offline mode >> /var/log/samba/ smbcontrol
fi
fi

]]> By: Mshen http://itknowledgeexchange.techtarget.com/itanswers/winbind-authentication-with-vmware-host/#comment-61663 Mshen Tue, 31 Mar 2009 18:58:49 +0000 #comment-61663 Purchasing the vCenter Server license, and installing it on a Windows VM or physical machine will allow you to use Active Directory accounts to connect to the vCenter Server to manage your virtual infrastructure. Purchasing the vCenter Server license, and installing it on a Windows VM or physical machine will allow you to use Active Directory accounts to connect to the vCenter Server to manage your virtual infrastructure.

]]>