Creating and managing local user accounts on vCenter Server Appliance

A couple of days back someone asked me how do we create a local user on the vCenter Server Appliance. So I started to understand how things work for local users on the vCenter Server Aplliance. Well it is pretty simple:

Steps:

  1. Enable SSH on your vCenter Server Appliance.
  2. Now login to your vCenter Server Appliance using a SSH client.
  3. Create a local user, here’s the command:
    useradd vcadmin

    Important: Donot use the useraddd.local command.

  4. Assign a password to the just created user.
    passwd vcadmin
  5. Using the vSphere client, login as root to your vCenter Server Appliance.
  6. Select the object on which you want to assign permissions for this user. Go to permissions tab for this object and add permissions for this user.
  7. That’s it.
  8. Test user login and you are done.
  9. If you need to create a root equivalent user, i.e. a vcenter administrator. You will assign the permissions on the vc-inventory-root (datacenters folder).

Note: vCenter Server Appliance, uses PAM libraries for authenticating users. The PAM libraries on vCenter Server Appliance have been configured for strong authentication. Thus if any user has more than 3 continuous failed logins, the user account would be locked.

You can check whether the user account is locked or not by running the following command on the vCenter Server Appliance over SSH login:

pam_tally  --user vcadmin

It will echo something like the following.

User vcadmin    (1005)  has 0

As long the user has 0 (zero), everthing is good, if it is more than 3, the account is locked. To unlock the account, run the following command:

pam_tally  --user <username> --reset

If its a AD account, unlock it using the following command:

pam_tally  --user username@domainname --reset

BTW, if you need to change the default number allowed failed logins from say 3 to 5, edit the following file and update approriately.

/etc/pam.d/common-auth

Although I have not tested this, I believe one should be able to add local groups in a similar way.

Advertisements

13 thoughts on “Creating and managing local user accounts on vCenter Server Appliance

  1. Pingback: VMware vCenter Local Users | Random Items

  2. I can create a user in this way but I cannot delete or view the user. Once I create the user and set the passwd, if I run userdel -r , reply is userdel: Unknown user . Also, if I run the “users” command, I do not see the user. However, when I want to add a user within vCenter, I can add permission, hit add, type the username and hit “check names.” This works and I can add the user. However, I cannot search for the user by name, or see them in the list.

    This method of creating local users with vCenter Appliance works but is definitely not ideal. For example, if the user was to leave the company, how can I remove them. Also, how can I view a list of all my users (especially the ones created / included with this method of creation).

    • Well, I just checked this out and yes you are correct that the “users” command does not tell you what users has been added. Now though the base OS is SuSE Linux, it not a standard SuSE Linux distribution. Hence the standards Linux/Unix tools don’t always work as expected. Hence improvise by using bash tools, example to list all the available users:

      grep rvc_chroot /etc/passwd | grep -v vc-anon

      To delete a user, “userdel” works as expected. Example to delete a user with his home directory,

      userdel -r localuser

      And I do agree, that this might not be the most ideal way of managing user accounts. However sometimes you may not want a AD to manage the users, in such cases creating and managing local users in this way works well.

  3. Hi Shakhar,
    I have created the user on local VCSA box,
    how user can change the password of there account.
    webui change password it disable for users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s