I recently received a question about whether it was possible to configure Active Directory integration with vMA. Out of the box, this is not a feature that is available by default but can be set up. There are many articles online that provide instructions on configuring AD integration on UNIX/Linux host but they may not always be as straight forward to implement. 

While pondering about this question, I remember reading an article about the OEM partnership between Likewise and VMware, in which Likewise's authentication software will be integrated into future releases of the vSphere platform. There has also been rumors that the Likewise software will be appearing in the next release of vSphere which may provide AD integration out of the box. 

Likewise has an open source product called "Open" which integrates with UNIX, Linux and Mac systems to Microsoft Active Directory, allowing users to authenticate with their Windows domain credentials. I thought it would be interesting to see if I could get "Open" running on VMware vMA and surely it was pretty straight forward. 

1. You will need to register to download the latest version of the Likewise software which can be found here:
Note: Make sure you select the 64bit version and the non-GUI version of "Open".

2. You will now upload the installer LikewiseIdentityServiceOpen- to your vMA host using either UNIX/Linux scp or WinSCP if you are on a Windows systems.

3. Set the installer to be an executable by running the following command:

[[email protected] ~]$ chmod +x LikewiseIdentityServiceOpen-

4. Now we will begin the installation, you will need to use sudo (accept all defaults):

[[email protected] ~]$ sudo ./LikewiseIdentityServiceOpen-

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Welcome to the Likewise Identity Service [Open] Setup Wizard.

Please read the following License Agreement. You must accept the terms of this
agreement before continuing with the installation.

Press [Enter] to continue :
Likewise Open is provided under the terms of the GNU General
Public License (GPL version 2) and the GNU Library General
Public License (LGPL version 2.1). The additional components
listed below are covered under separate license agreements:

Samba 3.0 Client libraries and tools - GPLv2
MIT Kerberos - MIT Kerberos 5 and other licenses
OpenLDAP - OpenLDAP Public License
Novell DCE-RPC - BSD
libuuid from e2fsprogs - BSD
libiconv - LGPLv2

For more details and for the full text for each of these
licenses, read the LICENSES and COPYING files included with
this software.

Press [Enter] to continue :

Do you accept this license? [y/n]: y

32-bit Compatbility Libraries

Should the 32-bit compatibility libraries be installed? These are only needed if 32-bit programs will be accessing the Likewise authentication code. If you do not know the answer, just leave it as "Auto".

[1] Auto
[2] Yes
[3] No
Please choose an option [1] :

Setup is now ready to begin installing Likewise Identity Service [Open] on your computer.

Do you want to continue? [Y/n]: y

Please wait while Setup installs Likewise Identity Service [Open] on your computer.

0% ______________ 50% ______________ 100%
######################################Info: Likewise

To join an Active Directory domain using a command-line interface, run:


Press [Enter] to continue :
5. Once the setup has finished, you will want to edit the lsassd.conf configuration file. The two changes that you will be making are:

  • Allow a user to login to vMA without having to specify the username and the full domain (e.g. [email protected]@vmahost)
  • Changing the default login shell from /bin/sh to /bin/bash

Start by editing /etc/likewise/lsassd.conf

  • uncomment "assume-default-domain = yes"
  • change "login-shell-template = /bin/sh" to "login-shell-template = /bin/bash"

[[email protected] ~]$ sudo vi /etc/likewise/lsassd.conf
Note: If you are using a newer version of "Open" where lsassd.conf no longer exists, please take a look at the "Open" documentation on updating the configurations listed above - http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html

6. Before we join the vMA host to the Active Directory server, ensure that DNS is properly configured and that both forward and reserve lookups are correct on the vMA host.

[[email protected] ~]$ host kate
kate.primp-industries.com has address

[[email protected] ~]$ host domain name pointer kate.primp-industries.com.
7. We will now join the vMA host to an AD server. The syntax will be "domainjoin-cli join [domain] [username]"

[[email protected] ~]$ sudo domainjoin-cli join primp-industries.com Administrator

Joining to AD Domain: primp-industries.com
With Computer DNS Name: kate.primp-industries.com

[email protected]'s password:
Warning: System restart required
Your system has been configured to authenticate to Active Directory for the first time. It is recommended that you restart your system to ensure that all
applications recognize the new settings.

Warning: Unknown pam module
The likewise PAM module cannot be configured for the wbem service. This services uses the '$ISA/pam_unix.so' module, which is not in this program's list of
known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Warning: A resumable error occurred while processing a module
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.

Note: Do not worry about the warning message, it is normal and you do not need to restart the system for the changes to take effect.

If you have any issues trying to join a domain, you can enable logging which can be helpful for troubleshooting. To do so, you will specify two additional parameters which will denote the log level and where to output the log, whether that is to the console or to a file

[[email protected] ~]$ sudo domainjoin-cli --loglevel verbose --logfile joindomain.log join primp-industries.com administrator
Joining to AD Domain: primp-industries.com
With Computer DNS Name: kate.primp-industries.com

[email protected]'s password:
Warning: Unknown pam module
The likewise PAM module cannot be configured for the wbem service. This services uses the '$ISA/pam_unix.so' module, which is not in this program's list of
known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d.

Warning: A resumable error occurred while processing a module
Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.

From the above example, you should have a new log file created called joindomain.log

8. To verify that you have successfully joined the domain, you can run the following command to query:

[[email protected] ~]$ sudo domainjoin-cli query

Name = kate
Distinguished Name = CN=KATE,CN=Computers,DC=primp-industries,DC=com
9. Before you try to login with a user in the domain, you need to reload the configuration changes that were made earlier. To do so, you will execute the following:

[[email protected] ~]$ sudo /opt/likewise/bin/lw-refresh-configuration

Configuration successfully loaded from disk.
10. Now, we will test a login using an account on the AD server:

[[email protected] ~]$ ssh [email protected]
Your password will expire today

Welcome to vMA
run 'vma-help' or see http://www.vmware.com/go/vma4 for more details.

[[email protected] ~]$ pwd
We can also verify this user on the AD Server by running the following query:

Default level 0 info

[[email protected] ~]$ /opt/likewise/bin/lw-find-user-by-name primp

User info (Level-0):
Name: primp
SID: S-1-5-21-503341760-968948550-2164105906-1105
Uid: 1058014289
Gid: 1058013696
Gecos: primp primp
Shell: /bin/bash
Home dir: /home/local/PRIMP-IND/primp
Logon restriction: NO
level 2 info

[[email protected] ~]$ /opt/likewise/bin/lw-find-user-by-name primp --level 2

User info (Level-2):
Name: primp
SID: S-1-5-21-503341760-968948550-2164105906-1105
UPN: [email protected]
Generated UPN: NO
DN: CN=primp primp,CN=Users,DC=primp-industries,DC=com
Uid: 1058014289
Gid: 1058013696
Gecos: primp primp
Shell: /bin/bash
Home dir: /home/local/PRIMP-IND/primp
LMHash length: 0
NTHash length: 0
Local User: NO
Account disabled (or locked): FALSE
Account expired: FALSE
Password never expires: TRUE
Password expired: FALSE
Prompt for password change: YES
User can change password: YES
Days till password expires: 0
Logon restriction: NO
To unjoin and leave the domain, you will use the following:

To preview the files that will require changes for leaving a domain use

[[email protected] ~]$ sudo domainjoin-cli leave --advanced --preview

[F] DDNS - Configure Dynamic DNS Entry for this host
[X] [S] ssh - configure ssh and sshd
[X] [N] pam - configure pam.d/pam.conf
[F] nsswitch - enable/disable Likewise nsswitch module
[X] [N] krb5 - configure krb5.conf
[X] [N] stop - stop daemons
[X] [N] leave - disable machine account
[F] keytab - initialize kerberos keytab

Key to flags
[F]ully configured - the system is already configured for this step
[S]ufficiently configured - the system meets the minimum configuration
requirements for this step
[N]ecessary - this step must be run or manually performed.

[X] - this step is enabled and will make changes
[ ] - this step is disabled and will not make changes
To confirm and leave the domain, use

[[email protected] ~]$ sudo domainjoin-cli leave


All Likewise utilities are installed under /opt/likewise/bin and for more information on these utilities and how to use them, check out the Likewise documentation here.

The instructions above can also be used to setup "open" on classic ESX w/Service Console, ESXi will not work however.

10 thoughts on “How to configure Likewise "Open" AD intergration on vMA

  1. Yes, I actually tried this on ESX 4.0 Update 2 and it works exactly the same without any issues. This however, will not work on ESXi and the unsupported Busybox console.

    I’ll update the post tonight to also mention this will work on classic ESX using the exact same instructions.


  2. Hi – with the latest version of open, the lsassd.cfg file is no longer present. so configuration changes have to be done in the registry using lwregshell command.

    Pl see my notes below (excuse the verbosity – i am copy-pasting from my shell).

    Run the following command to list values against ‘HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory’ key in registry –

    [[email protected] ~]# /opt/likewise/bin/lwregshell ls ‘[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]’

    “AssumeDefaultDomain” REG_DWORD 0x00000000 (0)
    “CacheEntryExpiry” REG_DWORD 0x00003840 (14400)
    “CachePurgeTimeout” REG_DWORD 0x00278d00 (2592000)
    “CacheType” REG_SZ “memory”
    “CreateHomeDir” REG_DWORD 0x00000001 (1)
    “CreateK5Login” REG_DWORD 0x00000001 (1)
    “DomainManagerCheckDomainOnlineInterval” REG_DWORD 0x0000012c (300)
    “DomainManagerUnknownDomainCacheTimeout” REG_DWORD 0x00000e10 (3600)
    “DomainSeparator” REG_SZ “\\”
    “HomeDirPrefix” REG_SZ “/home”
    “HomeDirTemplate” REG_SZ “%H/local/%D/%U”
    “HomeDirUmask” REG_SZ “022”
    “Id” REG_SZ “lsa-activedirectory-provider”
    “LdapSignAndSeal” REG_DWORD 0x00000000 (0)
    “LoginShellTemplate” REG_SZ “/bin/bash”
    “LogNetworkConnectionEvents” REG_DWORD 0x00000001 (1)
    “MachinePasswordLifespan” REG_DWORD 0x00278d00 (2592000)

    To change a particular key, say AssumeDefaultDomain, run the following command –

    [[email protected] ~]# /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]’ AssumeDefaultDomain 1

    To set LoginShellTemplate to /bin/bash run –
    [[email protected] ~]# /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]’ LoginShellTemplate /bin/bash

    To refresh the lsass daemon with new config settings, run –
    /opt/likewise/bin/lwsm refresh lsass

    To list the values at any time you can use the first command.

  3. Hi William – you are welcome. The question i have in my mind is – after ‘open’ is installed, will we be able to do password-less operation using AD authentication. i have the setup requisite for this – vCenter, ESXi hosts and vMA 4.0 all attached now to same domain.

  4. @RamD

    No you will not be able to, vi-fastpass has to also be updated to suppport adauth, which is what happened with vMA 4.1. The above just demonstrates how to get vMA joined to AD using “open” which is exactly how vMA 4.1 is setup. Unless there’s a reason to stay on vMA 4.0, recommendation is to go to vMA 4.1 even if you only have ESX(i) 3.5 or 4.0 hosts

  5. Hi William thanks for your response. While on vMA 4.0 any best practices to follow in order to prevent misuse of passwords stored in credential store. if a user logs in as vi-admin then anyhow he/she has access to the credential store where passwords are stored in plain text, in obfuscated form. so it is easy to crack these. any ideas on how to prevent this?

    One thought is – all users of vMA always login with their directory logins (not using vi-admin). then anyhow each has a diffrent credential store for their ESX/ESXi/vCenter access which hopefully has correct file permissions set. the vi-admin user is locked down, much like the default root user.

    What where you following till you moved to 4.10?

    PS: A blog on this would help… 🙂

  6. @RamD,

    Here is a blog post motivated by our conversation – http://www.virtuallyghetto.com/2010/08/why-you-should-upgrade-from-vma-40-to.html

    Hopefully it’ll clear up some questions.

    Regarding your suggestion, it would not work since the activation of vi-fastpass is only allowed for the vi-admin user. You will get an error that the user context is incorrect. Also if you take a look at the post above, you’ll see that vMA 4.1 does fix the known plain text issue but one can still access the credential store and retrieve the username and password. This can be done on both vMA 4.0 and 4.1. There is a recommendation on how to really protect the credential store which is outlined in the article.

    Hopefully this helps

    Thanks for the comments

  7. I was facing problems joining the VMware appliance to Active directory. There is a trust between my production domain and another lab domain. One of the domain controllers
    that was in the trusted (lab) domain was out of time sync. This prevented my machine from being joined correctly to the Active directory.
    Likewise 5.3 wasn’t able to handle that, with 6.1 it worked. After the clocks were synchonized everything started to work.
    I don’t want others to run into it. I guess there is an option to diable all trusts, but VMvare is obviously not using that in their UI.

    Conditions: VMvare Vcenter appliance 5.0 based on SuSE Linux
    Active directory windows 2008 R2 server with the forest& domain level 2008 R2
    /opt/likewise/bin/lw-get-status was only showing local authentication

    also tried to investigate the missing AD DNS entry _kerberos-master._udp.. Obviously this entry doesn’t have to be there.

    Joining Active Directory using the command line /opt/likewise/bin/domainjoin-cli seems to be working itself. But it doesn’t enable some features
    in vmware interface, so I encourage people to use that for troubleshooting, but once they’ve fixed their problems, go back to the apliance web interface
    and do it there.

    good luck

Thanks for the comment!