How set host connectivity? XenServer, RBAC&AD
I can not make monitoring XenServer host. Please, help me.
XenServer 7.1.0 (RBAC & AD)
Lpar2RRD 6.02-24
It my first XenServer host to add to Lpar2RDD.
1) I make "lpar2rrd" user in AD and add it to Xen host, and set rights ReadOnly (RBAC & AD)
in this case i can not link by ssh
2) I make on Xen host local user "lpar2rrd", and i can link to host by ssh. But this user can not see in Users list XenServer and can not setting to it ReadOnly role.
3) I add config for Xen host in Lpar2RRD Web for user "lpar2rrd", test HTTPS Err, HTTP Ok, SSH (by Lpar2RRD host) Ok.
in logs i read errors
4) I change config for Xen host in Lpar2RRD Web for user "root", test HTTP Error, SSH (by Lpar2RRD host by lpar2rrd user) Ok.
in logs no read errors, but no info at Xen host in Web GUI.
Please, say more detail, what i need do if my XenServer uses RBAC & AD.
Comments
-
Hi Alex,
LPAR2RRD requires an user account on your XenServer host that will allow running XenServer API queries such as
xe host-list
over SSH.By default, only
root
is allowed to access the XenServer API from the command line (xe
command); other user accounts do not have this capability. In order to add it to any user account, you have to assign the account an RBAC role (documentation at Citrix' website); Read-Only should suffice for reading configuration and performance data.The steps are explained in the official documentation.
Once you have an user account on your XenServer host, and it can run commands such as the aforementioned
xe host-list
and view their output, you can follow the rest of the LPAR2RRD installation instructions (XenServer/Citrix tab), i.e., exchange SSH keys for your XenServer user account, test connection, and make sure that there is a scheduled cron job forload_xenserver.sh
.If the SSH authorization part of the connection test fails, you can run it from the command line, the command will be listed in red in the host connection test dialog window.
Once the XenServer host connection is set up correctly, it might take a while (several minutes, up to an hour, if you don't run the scripts manually) before XenServer data appear in LPAR2RRD menu, because
load_xenserver.sh
has to fetch the data and thenload.sh
include it in the menu. -
Yes, as you say.
If used RBAC only root user allowed to access the XenServer API.
If used AD, any others users is only from external directory services (AD).
So, if i make user lpar2rrd in my AD, add it in RBAC and assign role ReadOnly, this OK.
But, for this user (lpar2rrd from AD) not posible manipulate RSA keys for SSH!
This my question - how make settings, if in Xen used RBAC & AD.
P.S. at this moment i find how work with root local user (XenServer), but it is very unsecure!!!
For root user HTTP and HTTPS check is not work, but by ssh i receive info. -
LPAR2RRD requires the following user-account credentials to fetch data from a XenServer host:
- user name
- password (to fetch performance data over HTTP(S))
- SSH key (to fetch configuration data over SSH)
Depending on your LPAR2RRD environment (whether it runs in an appliance, or not), authorization checks (API and SSH) in the web UI may fail, if it does not have rights to access corresponding certificates/keys; however, the
load_xenserver.sh
script may fetch data just fine.If the API authorization check fails with error 403 or similar (as opposed to error 500), user name or password is incorrect.
Performance data can be fetched (over HTTP(S)) by an ordinary user, whereas access to configuration data relies on
xe
query commands. To reiterate, onlyroot
can do so by default. If RBAC is available (it is not in XenServer Free edition), other users can be assigned such rights; RBAC relies on Active Directory.If I understand it correctly, you have
- set up Active Directory and joined the domain with your XenServer host;
- created a new user in the Active Directory;
- added the new user as a subject on the XenServer host;
- assigned the new subject the Read-Only RBAC role on the XenServer host.
Is that correct?
- Can you log in as the new subject and get output from
xe
queries in the command-line, such as thexe host-list
command? - Can you log in as the new subject over SSH with password-based authentication?
-
Hi, David.
1) i make AD user "lpar2rrd"PS C:\Users\User.Domen> Get-ADUSer lpar2rrd -properties memberofDistinguishedName : CN=lpar2rrd,OU=TestHiddenOU,DC=domen,DC=srvEnabled : TrueGivenName : lpar2rrdMemberOf : {}Name : lpar2rrdObjectClass : user...
UserPrincipalName : lpar2rrd@domen.srv
2) i connect to XenServer by CLI, use info by https://docs.citrix.com/en-us/citrix-hypervisor/users/rbac-cli.html[root@dl580-s1-l1 ~]# ls -l /hometotal 0[root@dl580-s1-l1 ~]# xe role-list...uuid ( RO) : 7233b8e3-eacb-d7da-2c95-f2e581cdbf4ename ( RO): read-onlydescription ( RO): The Read-Only role can log in with basic read-only access...[root@dl580-s1-l1 /]# xe subject-add subject-name=dl580-s1-l1\lpar2rrdSubject cannot be resolved by the external directory service.[root@dl580-s1-l1 /]# xe subject-add subject-name=lpar2rrd9884ac6b-f44d-0bc7-0527-82e2d85bfb6b[root@dl580-s1-l1 /]# ls -l /hometotal 0[root@dl580-s1-l1 /]# xe subject-list...uuid ( RO) : 9884ac6b-f44d-0bc7-0527-82e2d85bfb6bsubject-identifier ( RO): S-1-5-21-1202660629-776561741-725345543-26871other-config (MRO): subject-name: DOMEN\lpar2rrd; subject-upn: lpar2rrd@DOMEN.SRV; subject-uid: 293628151; subject-gid: 293601793; subject-sid: S-1-5-21-1202660629-776561741-725345543-26871; subject-gecos: lpar2rrd; subject-displayname: lpar2rrd; subject-is-group: false; subject-account-disabled: FALSE; subject-account-expired: FALSE; subject-account-locked: FALSE; subject-password-expired: FALSEroles (SRO):[root@dl580-s1-l1 /]# xe subject-role-add uuid=9884ac6b-f44d-0bc7-0527-82e2d85bfb6b role-name=read-only[root@dl580-s1-l1 /]# xe subject-list...uuid ( RO) : 9884ac6b-f44d-0bc7-0527-82e2d85bfb6bsubject-identifier ( RO): S-1-5-21-1202660629-776561741-725345543-26871other-config (MRO): subject-name: DOMEN\lpar2rrd; subject-upn: lpar2rrd@DOMEN.SRV; subject-uid: 293628151; subject-gid: 293601793; subject-sid: S-1-5-21-1202660629-776561741-725345543-26871; subject-gecos: lpar2rrd; subject-displayname: lpar2rrd; subject-is-group: false; subject-account-disabled: FALSE; subject-account-expired: FALSE; subject-account-locked: FALSE; subject-password-expired: FALSEroles (SRO): read-only[root@dl580-s1-l1 /]# ls -l /hometotal 0
3) OK, if i set (in Lpar2RRD Web GUI) USERNAME as lpar2rrd, check HTTP and enter his Password, by Test i get OK.
4) But, SSH key can not apply, because /home/lpar2rrd/.ssh directory not exist! For SSH this user do not exist.
If i try connect from Lpar2RRD by SSH to XenServer host (i use password for AD user):[lpar2rrd@stor2rrd ~]$ ssh lpar2rrd@dl580-s1-l1Password:Password:Password:lpar2rrd@dl580-s1-l1's password:Received disconnect from 10.100.9.118 port 22:2: Too many authentication failures for lpar2rrdAuthentication failed.
So, if Xen uses RBAC & AD i can make user, add role ReadOnly, but this is not create user stuctures on Xen host for work with SSH keys. -
Thank you for clarification, Alex.
Can you log in as the new user
lpar2rrd
at all? I mean in local console orsu - lpar2rrd
, when you are already logged in (probably asroot
). -
David, you whant to logon user lpar2rrd into root session on Xen host?
Go to XenServer from Lpar2RRD by SSH keys for root user:[root@stor2rrd ~]# ssh dl580-s1-l1Last login: Thu Jul 18 14:37:43 2019 from stor2rrd.domen.srv
Try switch to lpar2ddr user from AD linux like:
[root@dl580-s1-l1 ~]# su - lpar2rrdsu: user lpar2rrd does not exist
Try connect by SSH:
[root@dl580-s1-l1 ~]# ssh lpar2rrd@dl580-s1-l1The authenticity of host 'dl580-s1-l1 (127.0.0.1)' can't be established.ECDSA key fingerprint is eb:0c:5f:3b:37:39:d8:14:f2:87:34:23:83:c4:79:f8.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'dl580-s1-l1' (ECDSA) to the list of known hosts.Password:Password:Password:lpar2rrd@dl580-s1-l1's password:Permission denied, please try again.{Ctrl+C}
Add role Pool-Admin by RBAC to AD user lpar2rrd:
[root@dl580-s1-l1 ~]# xe subject-role-add uuid=9884ac6b-f44d-0bc7-0527-82e2d85bfb6b role-name=pool-admin
Try connect by SSH again:
[root@dl580-s1-l1 ~]# ssh lpar2rrd@dl580-s1-l1Password:Password:Password:lpar2rrd@dl580-s1-l1's password:Permission denied, please try again.{Ctrl+C} -
It appears that the local user corresponding to the subject does not exist.
I see that you have tried to change the subject role to Pool-Admin, but apparently without any effect. Did you remove the previous role beforehand, as the "To change the RBAC role of a subject" documentation section suggests?
-
I make as you ask. No result.[root@dl580-s1-l1 etc]# xe subject-list...uuid ( RO) : 9884ac6b-f44d-0bc7-0527-82e2d85bfb6bsubject-identifier ( RO): S-1-5-21-1202660629-776561741-725345543-26871other-config (MRO): subject-name: DOMAIN\lpar2rrd; subject-upn: lpar2rrd@DOMAIN.SRV; subject-uid: 293628151; subject-gid: 293601793; subject-sid: S-1-5-21-1202660629-776561741-725345543-26871; subject-gecos: lpar2rrd; subject-displayname: lpar2rrd; subject-is-group: false; subject-account-disabled: FALSE; subject-account-expired: FALSE; subject-account-locked: FALSE; subject-password-expired: FALSEroles (SRO): pool-admin[root@dl580-s1-l1 etc]# ssh lpar2rrd@dl580-s1-l1Password:Password:Password:lpar2rrd@dl580-s1-l1's password:Permission denied, please try again.lpar2rrd@dl580-s1-l1's password:{Ctrl+C}[root@dl580-s1-l1 etc]# su - lpar2rrdsu: user lpar2rrd does not exist
-
Hi, David.
I have some info.
Command to login by SSH with AD user:
# ssh DOMAIN\\username@hostname
If in RBAC set role "pool-admin", to SSH config file on XenServer /etc/pam.d/sshd added (auto) string:
account sufficient pam_succeed_if.so user = DOMAIN\username
and then login by SSH to !!! root session:[lpar2rrd@stor2rrd ~]$ ssh DOMEN\\lpar2rrd@dl580-s1-l1Password:Last login: Fri Jul 19 10:02:05 2019 from stor2rrd.bank.srv[root@dl580-s1-l1 ~]#
Any others roles do not this changes, i test it.
P.S. i can logon by AD user with SSH key for root user, ex.[lpar2rrd@stor2rrd ~]$ ssh -i /home/lpar2rrd/.ssh/root/id_rsa DOMEN\\lpar2rrd@dl580-s1-l1Last login: Fri Jul 19 10:12:57 2019 from stor2rrd.bank.srv[root@dl580-s1-l1 ~]#
I hope this helps you.
Alex -
Ok, if i add in Lpar2RRD username as "DOMAIN\username" need make changes in
./bin/xen-xapi2json.pl
FROM:if ( $hosts{$host}{auth_ssh} ) {my $ssh_key = $hosts{$host}{ssh_key_id};ssh2json( $hostname, $username, $ssh_key );
}
TOif ( $hosts{$host}{auth_ssh} ) {my $ssh_key = $hosts{$host}{ssh_key_id};##A##ssh2json( $hostname, $username, $ssh_key );my $ssh_username = $hosts{$host}{username};$ssh_username =~ s/\\/\\\\/g;ssh2json( $hostname, $ssh_username, $ssh_key );##}
-
OK. Small guide to use AD user, if you use XenServer with RBAC & AD.
1. Make changes in file /bin/xen-xapi2json.pl (see up)
2. Make AD user lpar2rrd, add his to XenServer, add him role "pool-admin"
3. Exchange SSH key from lpar2rrd user to root user on XenServer[root@stor2rrd ~]# su - lpar2rrd[lpar2rrd@stor2rrd ~]$ cd .ssh[lpar2rrd@stor2rrd .ssh]$ ssh-copy-id -i id_rsa.pub root@xenhost* enter root password on XenServer
[lpar2rrd@stor2rrd .ssh]$ cd ..[lpar2rrd@stor2rrd ~]$ cd lpar2rrd/[lpar2rrd@stor2rrd lpar2rrd]$ ./bin/sshtest.sh xenhost DOMAIN\\\\lpar2rrd /home/lpar2rrd/.ssh/id_rsa{"success":1,"error":"User DOMAIN\\\\lpar2rrd@xenhost has successfully authenticated.","log":""}[lpar2rrd@stor2rrd ~]$ ssh -i /home/lpar2rrd/.ssh/id_rsa DOMAIN\\lpar2rrd@xenhost[root@xenhost ~]#
4. Add XenServer on Lpar2RRD, use user name DOMAIN\lpar2rrd, his password and SSH key /home/lpar2rrd/.ssh/id_rsa
But i use Super User Rights, and i can not find how do not make it. -
Hi Alex,we have no simple solution for that either.Solution would be avoiding ssh access, it could be potentially possible as we recently discovered.However it is not easy, it would require re-desing data gathering (using different API what bring some other problems ..)So no solution here for now from us
Howdy, Stranger!
Categories
- 1.6K All Categories
- 41 XORMON NG
- 25 XORMON
- 150 LPAR2RRD
- 13 VMware
- 16 IBM i
- 2 oVirt / RHV
- 4 MS Windows and Hyper-V
- Solaris / OracleVM
- XenServer / Citrix
- Nutanix
- 6 Database
- 2 Cloud
- 10 Kubernetes / OpenShift / Docker
- 122 STOR2RRD
- 19 SAN
- 7 LAN
- 17 IBM
- 3 EMC
- 12 Hitachi
- 5 NetApp
- 15 HPE
- Lenovo
- 1 Huawei
- 1 Dell
- Fujitsu
- 2 DataCore
- INFINIDAT
- 3 Pure Storage
- Oracle