Update Log:
12/02/2016 – Updated “Editing the Krb5.conf file” chapter.
Introduction
In this post we are going to take a look at the configuration needed in order to add PowerShell hosts from multiple domains using Kerberos to the same vCenter Orchestrator (vCO)/vRealize Orchestrator (vRO) Appliance.
Lab Environment
The full lab logical design can be seen HERE.
Editing the Krb5.conf file
The lab consists of two domains with a parent-child relationship: vmware.com and support.vmware.com.
Our vRO is located in the vmwre.com domain. We want to add two powershell hosts from both domains using Kerberos Authentication.
First we need to edit the Kerberos of the appliance. In our case the files should look like this:
vco-a-01:~ # vi /usr/java/jre-vmware/lib/security/krb5.conf
[libdefaults]
default_realm = VMWARE.COM
udp_preference_limit = 1
[realms]
VMWARE.COM = {
kdc = lan1dc1.vmware.com
admin_server = lan1dc1.vmware.com
default_domain = vmware.com
}
SUPPORT.VMWARE.COM = {
kdc = lan2dc1.support.vmware.com
admin_server = lan2dc1.support.vmware.com
default_domain = support.vmware.com
}
[domain_realm]
.vmware.com=VMWARE.COM
vmware.com=VMWARE.COM
.support.vmware.com=SUPPORT.VMWARE.COM
support.vmware.com=SUPPORT.VMWARE.COM
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
If you are working with the vRA Embedded vRO the file is located in /ect/krb5.conf.
You might add additional domains as you see fit. Note than an offten typo is domain_realms instead of domain_realm.
If you have created new krb5.conf file make sure to set the owner :
# chown root:root /usr/java/jre-vmware/lib/security/krb5.conf
Assign permissions: (rw-r–r–) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
# chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf
After you have edited the krb5.conf file either reboot the appliance or restart the vco-server service:
# Service vco-server restart
For some common mistakes when editing files which can lead to malformation and wrong encoding, visit: Wrong encoding or formatting of Linux configuration files can cause problems in VMware Appliances
Adding the PowerShell hosts
Open vRO and run the Add a PowerShell host workflow.
If you haven’t edited the file correctly you might receive the following error/exception:
No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Fail to create credential. (63) – No service creds)) (Dynamic Script Module name : addPowerShellHost#16)
Note that you will receive this or similar errors if you are not using the vRO Powershell Plug-in version 1.0.6.2283945 or above. The multi-domain (cross-domain) Kerberos authentication doesn’t work in vRO if you are using lower version of the plugin.
Special Thanks to Ivo Gaydajiev
Final Step
If all went well, go grab a beer.
include TEMPLATEPATH."/../../../itBlogDisclaimer.php"; ?>