How set host connectivity? XenServer, RBAC&AD

Hi.
I can not make monitoring XenServer host. Please, help me.

XenServer 7.1.0 (RBAC & AD)
Lpar2RRD 6.02-24

It my first XenServer host to add to Lpar2RDD.

1) I make "lpar2rrd" user in AD and add it to Xen host, and set rights ReadOnly (RBAC & AD)
in this case i can not link by ssh

2) I make on Xen host local user "lpar2rrd", and i can link to host by ssh. But this user can not see in Users list XenServer and can not setting to it ReadOnly role.

3) I add config for Xen host in Lpar2RRD Web for user "lpar2rrd", test HTTPS Err, HTTP Ok, SSH (by Lpar2RRD host) Ok.
in logs i read errors

4) I change config for Xen host in Lpar2RRD Web for user "root", test HTTP Error, SSH (by Lpar2RRD host by lpar2rrd user) Ok.
in logs no read errors, but no info at Xen host in Web GUI.

Please, say more detail, what i need do if my XenServer uses RBAC & AD.

Comments

  • Hi Alex,

    LPAR2RRD requires an user account on your XenServer host that will allow running XenServer API queries such as xe host-list over SSH.

    By default, only root is allowed to access the XenServer API from the command line (xe command); other user accounts do not have this capability. In order to add it to any user account, you have to assign the account an RBAC role (documentation at Citrix' website); Read-Only should suffice for reading configuration and performance data.

    The steps are explained in the official documentation.

    Once you have an user account on your XenServer host, and it can run commands such as the aforementioned xe host-list and view their output, you can follow the rest of the LPAR2RRD installation instructions (XenServer/Citrix tab), i.e., exchange SSH keys for your XenServer user account, test connection, and make sure that there is a scheduled cron job for load_xenserver.sh.

    If the SSH authorization part of the connection test fails, you can run it from the command line, the command will be listed in red in the host connection test dialog window.

    Once the XenServer host connection is set up correctly, it might take a while (several minutes, up to an hour, if you don't run the scripts manually) before XenServer data appear in LPAR2RRD menu, because load_xenserver.sh has to fetch the data and then load.sh include it in the menu.

  • Yes, as you say.

    If used RBAC only root user allowed to access the XenServer API. 
    If used AD, any others users is only from external directory services (AD).
    So, if i make user lpar2rrd in my AD, add it in RBAC and assign role ReadOnly, this OK.

    But, for this user (lpar2rrd from AD) not posible manipulate RSA keys for SSH!

    This my question - how make settings, if in Xen used RBAC & AD.

    P.S. at this moment i find how work with root local user (XenServer), but it is very unsecure!!!
    For root user HTTP and HTTPS check is not work, but by ssh i receive info.
  • David
    edited July 2019

    LPAR2RRD requires the following user-account credentials to fetch data from a XenServer host:

    • user name
    • password (to fetch performance data over HTTP(S))
    • SSH key (to fetch configuration data over SSH)

    Depending on your LPAR2RRD environment (whether it runs in an appliance, or not), authorization checks (API and SSH) in the web UI may fail, if it does not have rights to access corresponding certificates/keys; however, the load_xenserver.sh script may fetch data just fine.

    If the API authorization check fails with error 403 or similar (as opposed to error 500), user name or password is incorrect.

    Performance data can be fetched (over HTTP(S)) by an ordinary user, whereas access to configuration data relies on xe query commands. To reiterate, only root can do so by default. If RBAC is available (it is not in XenServer Free edition), other users can be assigned such rights; RBAC relies on Active Directory.

    If I understand it correctly, you have

    1. set up Active Directory and joined the domain with your XenServer host;
    2. created a new user in the Active Directory;
    3. added the new user as a subject on the XenServer host;
    4. assigned the new subject the Read-Only RBAC role on the XenServer host.

    Is that correct?

    • Can you log in as the new subject and get output from xe queries in the command-line, such as the xe host-list command?
    • Can you log in as the new subject over SSH with password-based authentication?
  • Hi, David.

    1) i make AD user "lpar2rrd"

    PS C:\Users\User.Domen> Get-ADUSer lpar2rrd -properties memberof

    DistinguishedName : CN=lpar2rrd,OU=TestHiddenOU,DC=domen,DC=srv
    Enabled           : True
    GivenName         : lpar2rrd
    MemberOf          : {}
    Name              : lpar2rrd
    ObjectClass       : user
    ...
    UserPrincipalName : lpar2rrd@domen.srv 

    2) i connect to XenServer by CLI, use info by https://docs.citrix.com/en-us/citrix-hypervisor/users/rbac-cli.html

    [root@dl580-s1-l1 ~]# ls -l /home
    total 0

    [root@dl580-s1-l1 ~]# xe role-list
    ...
    uuid ( RO)           : 7233b8e3-eacb-d7da-2c95-f2e581cdbf4e
               name ( RO): read-only
        description ( RO): The Read-Only role can log in with basic read-only access
    ...

    [root@dl580-s1-l1 /]# xe subject-add subject-name=dl580-s1-l1\lpar2rrd
    Subject cannot be resolved by the external directory service.

    [root@dl580-s1-l1 /]# xe subject-add subject-name=lpar2rrd
    9884ac6b-f44d-0bc7-0527-82e2d85bfb6b

    [root@dl580-s1-l1 /]# ls -l /home
    total 0

    [root@dl580-s1-l1 /]# xe subject-list
    ...
    uuid ( RO)                  : 9884ac6b-f44d-0bc7-0527-82e2d85bfb6b
        subject-identifier ( RO): S-1-5-21-1202660629-776561741-725345543-26871
              other-config (MRO): subject-name: DOMEN\lpar2rrd; subject-upn: lpar2rrd@DOMEN.SRV; subject-uid: 293628151; subject-gid: 293601793; subject-sid: S-1-5-21-1202660629-776561741-725345543-26871; subject-gecos: lpar2rrd; subject-displayname: lpar2rrd; subject-is-group: false; subject-account-disabled: FALSE; subject-account-expired: FALSE; subject-account-locked: FALSE; subject-password-expired: FALSE
                     roles (SRO):

    [root@dl580-s1-l1 /]# xe subject-role-add uuid=9884ac6b-f44d-0bc7-0527-82e2d85bfb6b role-name=read-only

    [root@dl580-s1-l1 /]# xe subject-list
    ...
    uuid ( RO)                  : 9884ac6b-f44d-0bc7-0527-82e2d85bfb6b
        subject-identifier ( RO): S-1-5-21-1202660629-776561741-725345543-26871
              other-config (MRO): subject-name: DOMEN\lpar2rrd; subject-upn: lpar2rrd@DOMEN.SRV; subject-uid: 293628151; subject-gid: 293601793; subject-sid: S-1-5-21-1202660629-776561741-725345543-26871; subject-gecos: lpar2rrd; subject-displayname: lpar2rrd; subject-is-group: false; subject-account-disabled: FALSE; subject-account-expired: FALSE; subject-account-locked: FALSE; subject-password-expired: FALSE
                     roles (SRO): read-only

    [root@dl580-s1-l1 /]# ls -l /home
    total 0

    3) OK, if i set (in Lpar2RRD Web GUI) USERNAME as lpar2rrd, check HTTP and enter his Password, by Test i get OK.

    4) But, SSH key can not apply, because /home/lpar2rrd/.ssh directory not exist! For SSH this user do not exist.

    If i try connect from Lpar2RRD by SSH to XenServer host (i use password for AD user):
    [lpar2rrd@stor2rrd ~]$ ssh lpar2rrd@dl580-s1-l1
    Password:
    Password:
    Password:
    lpar2rrd@dl580-s1-l1's password:
    Received disconnect from 10.100.9.118 port 22:2: Too many authentication failures for lpar2rrd
    Authentication failed.

    So, if Xen uses RBAC & AD i can make user, add role ReadOnly, but this is not create user stuctures on Xen host for work with SSH keys.
  • David
    edited July 2019

    Thank you for clarification, Alex.

    Can you log in as the new user lpar2rrd at all? I mean in local console or su - lpar2rrd, when you are already logged in (probably as root).

  • David, you whant to logon user lpar2rrd into root session on Xen host?

    Go to XenServer from Lpar2RRD by SSH keys for root user:
    [root@stor2rrd ~]# ssh dl580-s1-l1
    Last login: Thu Jul 18 14:37:43 2019 from stor2rrd.domen.srv

    Try switch to lpar2ddr user from AD linux like:
    [root@dl580-s1-l1 ~]# su - lpar2rrd
    su: user lpar2rrd does not exist

    Try connect by SSH:
    [root@dl580-s1-l1 ~]# ssh lpar2rrd@dl580-s1-l1
    The authenticity of host 'dl580-s1-l1 (127.0.0.1)' can't be established.
    ECDSA key fingerprint is eb:0c:5f:3b:37:39:d8:14:f2:87:34:23:83:c4:79:f8.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'dl580-s1-l1' (ECDSA) to the list of known hosts.
    Password:
    Password:
    Password:
    lpar2rrd@dl580-s1-l1's password:
    Permission denied, please try again.
    {Ctrl+C}

    Add role Pool-Admin by RBAC to AD user lpar2rrd:
    [root@dl580-s1-l1 ~]# xe subject-role-add uuid=9884ac6b-f44d-0bc7-0527-82e2d85bfb6b role-name=pool-admin

    Try connect by SSH again:
    [root@dl580-s1-l1 ~]# ssh lpar2rrd@dl580-s1-l1
    Password:
    Password:
    Password:
    lpar2rrd@dl580-s1-l1's password:
    Permission denied, please try again.
    {Ctrl+C}


  • It appears that the local user corresponding to the subject does not exist.

    I see that you have tried to change the subject role to Pool-Admin, but apparently without any effect. Did you remove the previous role beforehand, as the "To change the RBAC role of a subject" documentation section suggests?

  • I make as you ask. No result.

    [root@dl580-s1-l1 etc]# xe subject-list
    ...
    uuid ( RO)                  : 9884ac6b-f44d-0bc7-0527-82e2d85bfb6b
        subject-identifier ( RO): S-1-5-21-1202660629-776561741-725345543-26871
              other-config (MRO): subject-name: DOMAIN\lpar2rrd; subject-upn: lpar2rrd@DOMAIN.SRV; subject-uid: 293628151; subject-gid: 293601793; subject-sid: S-1-5-21-1202660629-776561741-725345543-26871; subject-gecos: lpar2rrd; subject-displayname: lpar2rrd; subject-is-group: false; subject-account-disabled: FALSE; subject-account-expired: FALSE; subject-account-locked: FALSE; subject-password-expired: FALSE
                     roles (SRO): pool-admin

    [root@dl580-s1-l1 etc]# ssh lpar2rrd@dl580-s1-l1
    Password:
    Password:
    Password:
    lpar2rrd@dl580-s1-l1's password:
    Permission denied, please try again.
    lpar2rrd@dl580-s1-l1's password:
    {Ctrl+C}

    [root@dl580-s1-l1 etc]# su - lpar2rrd
    su: user lpar2rrd does not exist



  • Hi, David.
    I have some info.

    Command to login by SSH with AD user: 
    # ssh DOMAIN\\username@hostname

    If in RBAC set role "pool-admin", to SSH config file on XenServer /etc/pam.d/sshd added (auto) string:
      account sufficient pam_succeed_if.so user = DOMAIN\username
    and then login by SSH to !!! root session:
    [lpar2rrd@stor2rrd ~]$ ssh DOMEN\\lpar2rrd@dl580-s1-l1
    Password:
    Last login: Fri Jul 19 10:02:05 2019 from stor2rrd.bank.srv
    [root@dl580-s1-l1 ~]#
    Any others roles do not this changes, i test it.

    P.S. i can logon by AD user with SSH key for root user, ex.
    [lpar2rrd@stor2rrd ~]$ ssh -i /home/lpar2rrd/.ssh/root/id_rsa DOMEN\\lpar2rrd@dl580-s1-l1
    Last login: Fri Jul 19 10:12:57 2019 from stor2rrd.bank.srv
    [root@dl580-s1-l1 ~]#

    I hope this helps you.
    Alex


  • Ok, if i add in Lpar2RRD username as "DOMAIN\username" need make changes in 

    ./bin/xen-xapi2json.pl

    FROM:
         if ( $hosts{$host}{auth_ssh} ) {
            my $ssh_key = $hosts{$host}{ssh_key_id};
            ssh2json( $hostname, $username, $ssh_key );
          }

    TO
    if ( $hosts{$host}{auth_ssh} ) {
            my $ssh_key = $hosts{$host}{ssh_key_id};
            ##A#
            #ssh2json( $hostname, $username, $ssh_key );
            my $ssh_username = $hosts{$host}{username};
            $ssh_username =~ s/\\/\\\\/g;
            ssh2json( $hostname, $ssh_username, $ssh_key );
            ##
          }



  • OK. Small guide to use AD user, if you use XenServer with RBAC & AD.

    1. Make changes in file /bin/xen-xapi2json.pl (see up)

    2. Make AD user lpar2rrd, add his to XenServer, add him role "pool-admin"

    3. Exchange SSH key from lpar2rrd user to root user on XenServer
    [root@stor2rrd ~]# su - lpar2rrd
    [lpar2rrd@stor2rrd ~]$ cd .ssh
    [lpar2rrd@stor2rrd .ssh]$ ssh-copy-id -i id_rsa.pub root@xenhost
    * enter root password on XenServer
    [lpar2rrd@stor2rrd .ssh]$ cd ..
    [lpar2rrd@stor2rrd ~]$ cd lpar2rrd/
    [lpar2rrd@stor2rrd lpar2rrd]$ ./bin/sshtest.sh xenhost DOMAIN\\\\lpar2rrd /home/lpar2rrd/.ssh/id_rsa
    {"success":1,"error":"User DOMAIN\\\\lpar2rrd@xenhost has successfully authenticated.","log":""}
    [lpar2rrd@stor2rrd ~]$ ssh -i /home/lpar2rrd/.ssh/id_rsa DOMAIN\\lpar2rrd@xenhost
    [root@xenhost ~]# 

    4. Add XenServer on Lpar2RRD, use user name DOMAIN\lpar2rrd, his password and SSH key /home/lpar2rrd/.ssh/id_rsa

    But i use Super User Rights, and i can not find how do not make it.

  • Hi Alex,

    we have no simple solution for that either.
    Solution would be avoiding ssh access, it could be potentially possible as we recently discovered.
    However it is not easy, it would require re-desing data gathering (using different API what bring some other problems ..)

    So no solution here for now from us :(



Sign In or Register to comment.