April 2018 Archives

Wed Apr 4 12:55:45 +07 2018

Give permission to a domain user on an ESXi host

With ESXi 6.5, the only way to grant permission to a domain (active directory) user is through command line: SSH connect to the ESXi server and use the command:
esxcli system permission set --id='smb4\on' --role=Admin
or:
esxcli system permission set --id='smb4\Domain users' -g --role=ReadOnly
where -g is a group permission. Note: the permission created in command line interface will not show on web interface. Use the command esxcli system permission list to see the active permissions.

Every user on the domain must be granted read permission on the system before they can have higher permission on a dedicated VM:

vim-cmd vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root "SMB4\domain^users" true "Browse Datastore" true

The role Browse Datastore must have been created (see below) before granting the permission.

Note: We cannot use the esxcli command for a role that is not a system role.

Permission on a Virtual Machine can be set using the web interface, the name of domain user is of the form smb4\st123456.

Local roles

These are the roles that are defined on CSIM ESXi servers.
Browse Datastore
Allow a user to browser the datastore, it is needed to list the .iso that are available on the server.
vim-cmd vimsvc/auth/role_add "Browse Datastore" Datastore.Browse System.Anonymous System.Read System.View
One Virtual Machine
Gives users permission to use, configure and run a specific VM.
vim-cmd vimsvc/auth/role_add "One Virtual Machine" Datastore.Browse System.Anonymous System.Read System.View \
VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.EditDevice VirtualMachine.Config.Settings \
VirtualMachine.GuestOperations.Execute VirtualMachine.GuestOperations.Modify VirtualMachine.GuestOperations.Query \
VirtualMachine.Interact.AnswerQuestion VirtualMachine.Interact.Backup VirtualMachine.Interact.ConsoleInteract \
VirtualMachine.Interact.CreateScreenshot VirtualMachine.Interact.DeviceConnection VirtualMachine.Interact.DnD \
VirtualMachine.Interact.GuestControl VirtualMachine.Interact.MakePrimary VirtualMachine.Interact.Pause \
VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Record \
VirtualMachine.Interact.Replay VirtualMachine.Interact.Reset VirtualMachine.Interact.SetCDMedia \
VirtualMachine.Interact.SetFloppyMedia VirtualMachine.Interact.Suspend VirtualMachine.Interact.ToolsInstall \
VirtualMachine.Inventory.Create VirtualMachine.Inventory.Delete VirtualMachine.Inventory.Move \
VirtualMachine.Inventory.Register VirtualMachine.Inventory.Unregister VirtualMachine.State.CreateSnapshot \
VirtualMachine.State.RemoveSnapshot VirtualMachine.State.RenameSnapshot VirtualMachine.State.RevertToSnapshot

Posted by Olivier | Permanent link | File under: administration, samba, vmware