That affects the permissions set on the VMs but also the permissions set at the server level.
While the cause is not exactly known, I suspect it is linked to a temporary unavailability of the AD (like a reboot): when ESXi server cannot reach the AD, it wipes off any permission corresponding to that AD. This is critical with the server hosting students VMs, especially the VMs for WAE course that has two or three students per VM.
To solve this problem, I have created a collection of tools that will automatically back-up the permissions based on AD and restore them if they disappear. The tools have been bundled in a VMWare VIB (vSphere Installation Bundle) for easy deployment.
Download and install the VIB
Get the VIB from /home/pc-application/WINAPPS/VMware/offline_bundle_persist_perms.zip copy it on the ESXi server. Note that only the offline version of the VIB is available.
Connect to the server shell and run:esxcli software vib install -f -d /offline_bundle_persist_perms.zipThat's all you have to do. From now on, the AD permissions will persist.
The tools have been tailored for CSIM environment, AD permissions are in the form SMB4\user.
update ESXi
Third parties VIB that are not officially signed by VMware prevent ESXi update. And this is diagnosed quite late in the update process, so precious time can be lost. Note that this is true also for ghettoVCB.
Hence, the VIB must be removed before any ESXi update:
Remove the last AD permission
When the script detects that there is no more AD permissions, it will automatically restore them from the back-up. So when you remove the last permission, the script will try and restore it.
To prevent that you can remove the VIB before removing the last AD permission:
esxcli software vib remove -f -n persist_permsAlternatively, you can stop cron:
kill `cat /var/run/crond.pid`remove the permission, update the file /etc/persist_perms/permissions:
echo \#\!/bin/sh >/etc/persist_perms/permissionsand restart cron:
/usr/lib/vmware/busybox/bin/busybox crond
What is installed by the VIB
The VIB installs the following files:Revision History
How to construct a VIB
VMWare used to offer the tool vibauthor to package a VIB. This tool is not available on VMWare website, but it has been packaged in a docker container by William Lam. You can follow the instructions on William's page or follow the instructions bellow:
sudo docker pull lamw/vibauthor
docker run --rm -it lamw/vibauthor
Preparing the files to create a VIB has been inspired from the page by William about Creating Custom VIBs For ESXi 5.0 & 5.1 with VIB Author Fling. All the files needed for this VIB can be downloaded from /home/pc-application/WINAPPS/VMware/persist_perms-1.2.tgz.
After extracting the tar file, you should see the following file hierarchy:
$ tree stage stage ├── descriptor.xml └── payloads └── payload1 ├── etc │ ├── persist_perms │ │ └── permissions │ └── rc.local.d │ └── 999.persist_perms.sh └── opt └── persist_perms ├── perm.awk ├── role.awk └── test-perms.sh 7 directories, 6 files
Note that:
Once the stage hierarchy has been finalized, the VIB may be created with the command:
vibauthor -C -t stage -f -O offline_bundle_persist_perms.zip