Wednesday, 30 November 2016

VCAP-DCV :: Configure and manage Active Directory integration from CLI

Before we join the esxi host into Active Directory domain we need to check firewall settings:

 1.) Enable firewall rule activeDirectoryAll :

 [root@kb-e01:~] esxcli network firewall ruleset set -r activeDirectoryAll --enabled 1
[root@kb-e01:~] esxcli network firewall ruleset list
Name Enabled
------------------------ -------
sshServer true
sshClient false
..snip..snip..

 webAccess true
vMotion true
vSphereClient true
activeDirectoryAll true
NFC true
...snip..snip...
2.) Change the default ESX Admins group to custom one kblnrz_esx_admins (this group needs to be created in Active Directory before esxi joined AD domain!):

[root@kb-e01:~] vim-cmd hostsvc/advopt/update "Config.HostAgent.plugins.hostsvc.esxAdminsGroup" string "kblnrz_esx_admins"

[root@kb-e01:~] vim-cmd hostsvc/advopt/view "Config.HostAgent.plugins.hostsvc.esxAdminsGroup"
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.hostsvc.esxAdminsGroup",
      value = "kblnrz_esx_admins"
   }

]

3.) Start lwsmd daemon:

 [root@kb-e01] /etc/init.d/lwsmd start
Starting Likewise Service Manager [memory reservation set] [starting lsass service] Starting service dependency: netlogon
Starting service dependency: lwio
Starting service dependency: rdr
Starting service: lsass
...ok
[root@kb-e01] /etc/init.d/lwsmd status
running
4.) Enable lwsmd deamon after reboot:
[root@kb-e01] chkconfig lwsmd on

5.) Check Domain Controller accessibility:
[root@kb-e01:/usr/lib/vmware/likewise/bin] ./lw-get-dc-name kblnrz.lab
Printing LWNET_DC_INFO fields:
===============================
dwDomainControllerAddressType = 23
dwFlags = 62461
dwVersion = 5
wLMToken = 65535
wNTToken = 65535
pszDomainControllerName = kb-w01.kblnrz.lab
pszDomainControllerAddress = 10.6.4.179
pucDomainGUID(hex) = 98 19 7A 57 BF F4 78 41 9D E2 DC 3A D7 F7 F3 C9
pszNetBIOSDomainName = KBLNRZ
pszFullyQualifiedDomainName = kblnrz.lab
pszDnsForestName = kblnrz.lab
pszDCSiteName = Default-First-Site-Name
pszClientSiteName = Default-First-Site-Name
pszNetBIOSHostName = KB-W01
pszUserName = <EMPTY> 

6.)  Now join the esxi host to AD domain :
[root@kb-e01:~] cd /usr/lib/vmware/likewise/bin/
[root@kb-e01:/usr/lib/vmware/likewise/bin] ./domainjoin-cli join kblnrz.lab Administrator
Joining to AD Domain: kblnrz.lab
With Computer DNS Name: kb-e01.kblnrz.lab
Administrator@KBLNRZ.LAB's password:
SUCCESS
7.) We can see that the AD group 'kblnrz_esx_admins' was automatically added.

 [root@kb-e01:~] esxcli system permission list
Principal                 Is Group  Role   Role Description  
------------------------  --------  -----  ------------------
KBLNRZ\kblnrz_esx_admins      true  Admin  Full access rights
dcui                         false  Admin  Full access rights
root                         false  Admin  Full access rights

vpxuser                      false  Admin  Full access rights

8.) If the firewall rule activeDirectoryAll is not set you can receive following error:

 [root@kb-e01:/usr/lib/vmware/likewise/bin] ./domainjoin-cli --loglevel verbose join kblnrz.lab Administrator
Joining to AD Domain: kblnrz.lab
With Computer DNS Name: kb-e01.kblnrz.lab
Administrator@KBLNRZ.LAB's password:
Error: NERR_DCNotFound [code 0x00000995]

9.) Enable likewise logging : http://kb.vmware.com/kb/1026554

 the end...










Posted by at No comments:

Saturday, 26 November 2016

VCAP-DCV :: Changing password options/strength and MOB

1.) Check the Security options on ESXi host:

[root@kb-e01:~] vim-cmd hostsvc/advopt/view Security
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Security.AccountLockFailures",
      value = 10
   },
   (vim.option.OptionValue) {
      key = "Security.AccountUnlockTime",
      value = 120
   },
   (vim.option.OptionValue) {
      key = "Security.PasswordQualityControl",
      value = "retry=3 min=disabled,disabled,disabled,7,7"
   }
]

2.) Weaken the password quality control e.g. to have VMware1!

[root@kb-e01:~] vim-cmd hostsvc/advopt/update "Security.PasswordQualityControl" string "retry=3 min=8,8,8,7,6"

[root@kb-e01:~] vim-cmd hostsvc/advopt/view "Security.PasswordQualityControl"
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Security.PasswordQualityControl",
      value = "retry=3 min=8,8,8,7,6"
   }
]

3.) Disable the Managed Object Browser (MOB) to reduce attack surface. (on vSphere 6.x MOB is disabled by default)

[root@kb-e01:~] vim-cmd hostsvc/advopt/view Config.HostAgent.plugins.solo
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.solo.enableMob",
      value = false
   },
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.solo.webServer.enableWebscriptLauncher",
      value = true
   }
]

4.) Enable the MOB to weaken the system:

[root@kb-e01:~] vim-cmd hostsvc/advopt/update Config.HostAgent.plugins.solo.enableMob bool 1
[root@kb-e01:~] vim-cmd hostsvc/advopt/view Config.HostAgent.plugins.solo
(vim.option.OptionValue) [
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.solo.enableMob",
      value = true
   },
   (vim.option.OptionValue) {
      key = "Config.HostAgent.plugins.solo.webServer.enableWebscriptLauncher",
      value = true
   }
]








Posted by at No comments:

Monday, 21 November 2016

VCAP-DCV :: Add/Edit Remove users on an ESXi host from CLI

The most effective way to add local users is command-line we need 3 steps to add user using CLI using GUI we need around 10 steps ! Real men don't click ;-)

1.) Add user kb with description admin
[root@localhost:~] esxcli system account add -d "admin" -i kb -p -c
Enter value for 'password':
Enter value for 'password-confirmation':

2.) List newly created users:
[root@localhost:~] esxcli system account list
User ID  Description                            
-------  -------------------------------------------
root     Administrator                          
dcui     DCUI User                              
vpxuser  VMware VirtualCenter administration account
kb       admin

3.) List permissions:
[root@localhost:~] esxcli system permission list
Principal  Is Group  Role   Role Description
---------  --------  -----  ------------------
dcui          false  Admin  Full access rights
root          false  Admin  Full access rights
vpxuser       false  Admin  Full access rights

4.) Assign new permissions to newly created user kb:
[root@localhost:~] esxcli system permission set -i kb -r Admin

5.) List assigned role / permissions:
[root@localhost:~] esxcli system permission list
Principal  Is Group  Role   Role Description  
---------  --------  -----  ------------------
dcui          false  Admin  Full access rights
kb            false  Admin  Full access rights
root          false  Admin  Full access rights
vpxuser       false  Admin  Full access rights

6.) Remove the account
[root@esxi01:~] esxcli system account remove -i kb


UNSUPPORTED way to add user with root priviliges from command-line:

1.) Enter into /bin directory:
[root@localhost:~] cd /bin/

2.) Create symbolic link:
[root@localhost:/bin] ln -s /usr/lib/vmware/busybox/bin/busybox adduser

3.) Create new user using adduser command:
[root@localhost:/bin] adduser -s /bin/ash -g admin -G root -h / kb
Changing password for kb

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use a 7 character long
password with characters from at least 3 of these 4 classes.
An upper case letter that begins the password and a digit that
ends it do not count towards the number of character classes used.

Alternatively, if noone else can see your terminal now, you can
pick this as your password: "cvyr!Terrpr!zbzrag".

Enter new password:
Re-type new password:

4.) List newly created user:
[root@localhost:/bin] esxcli system account list
User ID  Description                            
-------  -------------------------------------------
root     Administrator                          
dcui     DCUI User                              
vpxuser  VMware VirtualCenter administration account
kb       admin

5.) Don't assign the role for this user you will lost access over SSH.
[root@esxi01:/bin] esxcli system permission list
Principal  Is Group  Role   Role Description
---------  --------  -----  ------------------
dcui          false  Admin  Full access rights
root          false  Admin  Full access rights
vpxuser       false  Admin  Full access rights


We can only login via SSH using this method, the GUI will not allow to login because of permission. Assigning the Admin role will cause that access to SSH will be lost as well. I am not sure this is bug or feature.






Posted by at 1 comment:

Saturday, 19 November 2016

VCAP-DCV :: Add/Edit Remove users on an ESXi host from GUI

How to create new user and add permissions on standalone ESXi 6.x host using C# viClient or Flings ESXi Embedded Host Client native HTLM5

Using classic C# viClient:

1.) Login to ESXi with viClient using root credentials.
2.) Click on Users tab in right pane:



3.) Right click in pane:


4.) Type Login and password and click OK:


5.) The new use kb was created:


6.) Now we have to assign Permissions for newly created user: 


7.) Right click on the pane and choose Add Permission...


8.) Click Add.. to add the user:


9.) Select the user, click Add and click OK:


10.) Assign the role from context menu in right pane:


11.) Click OK after assigning role: 


12.) User kb with role Administrator was added after refresh:


Using Flings ESXi Embedded Host Client native HTLM5

1.) Login to ESXi host using root credentials:


2.) Click Manage and Users in right pane and press Add user button:


3.) Type user and password and press Add button: 


4.) The new user kb was created: 


5.) Now we have to assign the role / permissions. Click Host in left pane: 


6.) Press Actions button and choose Permissions from context menu:


7.) Press Add user button:


8.) Select user:


9.) Select role:


10.) Press Add user botton:


11.) The role Administrator was assigned to user kb:


the end.







Posted by at 1 comment:
Subscribe to: Posts (Atom)