Undocumented parameters for ESXi 5.0 Active Directory integration

Since vSphere version 4.1 it is possible to integrate an ESXi host into a Microsoft Active Directory (AD). After the host is joined to the domain you can assign permissions to AD groups and users by connecting directly to the host with the vSphere client.
Instructions on how to do this (with ESXi 5.0) is available e.g. here in the VMware Online Documentation.

I first looked at AD integration when vSphere 4.1 was released and found one really annoying drawback in it that ruled it out from a possible implementation in our environment: When an ESXi 4.1 host is joined to a domain it will automatically (and repeatedly!) look up an AD group called "ESX Admins", and as soon as it finds this group it will grant this group Administrator permissions on the ESXi host. The real problem here is that the name ("ESX Admins") of this AD group is hard coded and can not be configured.
This may be a nice feature for small environments - you just need to create this group, fill in the necessary people and you are done. But if you think about an enterprise environment of a large company with lots of different sites, IT teams and vSphere installations, but only one Active Directory, you can not assume that all ESXi hosts in this company are managed by the same group of people.

When vSphere 5.0 was released I looked at the release notes and documentation to find out if this drawback was removed, but I did not find any positive information. Tests I did also showed that an ESXi 5.0 host behaves the same way, looks up the "ESX Admins" group and adds it with Administrator permissions.

However, recently I stumbled over the following when browsing the advanced configuration parameters of an ESXi 5.0 host:
Configuring the "ESX Admins" group
Yes, with ESXi 5.0 it is possible to change the name of the AD group that is automatically added by setting the advanced configuration option Config.HostAgent.plugins.hostsvc.esxAdminsGroup. You can even completely disable this functionality by setting the option  Config.HostAgent.plugins.hostsvc.esxAdminsGroupAutoAdd to false.
I searched for this again in the VMware documentation and the Knowledge Base, but did not find it being mentioned anywhere. So it looks like at the time this is completely undocumented, but it works as expected (I could not resist from immediately trying this out)!

4 comments:

  1. One more great setting to add to a standard host profile.

    Thanks,
    @dboftlp

    ReplyDelete
  2. Hi, thank you for a great tip!
    This may be a dumb question, but I do have a question about "obtaining root" using ESXi 5 and AD.

    In our previous ESX 4.1 environment, we had "sudo". We maintained /etc/sudoers to include ESX Admin group so that once we log in with our AD acct, we would run sudo su -, and obtain root.

    Currently, I am able to log in using my AD acct to the ESXi 5 hosts. My AD acct is part of ESX admin group. I am seeing that I should have the admin access to the host based on this configuration, however, I don't seem to be root on the system. For instance, I don't seem to be able to change the ownership of files in /opt.
    How do you obtain root on the ESXi console using ssh? We don't have sudo on ESXi, do we??

    ReplyDelete
    Replies
    1. Masa,

      your observations are correct, and you are making a very good point here. You can use the 'su' command in the shell to switch to root, but this requires knowing and entering the root password which defeats the whole idea of AD integration. sudo should really be available in ESXi. Let's try to make this happen and vote for it here: http://communities.vmware.com/thread/344466

      Thanks
      Andreas

      Delete
  3. Hi, Andreas, thank you for your response. I put my vote on the URL you provided.
    So in the mean time, are you currently logging in with your AD acct, then su to obtain root?
    I read somewhere that you can do sudo if you use vMA. Do you use vMA to do utilize sudo?

    ReplyDelete

***** All comments will be moderated! *****
- Please post only comments or questions that are related to this post's contents!
- Advertising and link spamming will not be tolerated!