Citrix Systems 6 Server User Manual


 
8
Note:
XenServer uses Likewise (Likewise uses Kerberos) to authenticate the AD user in the AD server,
and to encrypt communications with the AD server.
How does XenServer manage the machine account password for AD integration?
Similarly to Windows client machines, Likewise automatically updates the machine account password, renewing
it once every 30 days, or as specified in the machine account password renewal policy in the AD server. For more
information, refer to http://support.microsoft.com/kb/154501.
Enabling external authentication on a pool
External authentication using Active Directory can be configured using either XenCenter or the CLI using the
command below.
xe pool-enable-external-auth auth-type=AD \
service-name=<full-qualified-domain> \
config:user=<username> \
config:pass=<password>
The user specified needs to have Add/remove computer objects or workstations privileges,
which is the default for domain administrators.
Note:
If you are not using DHCP on the network used by Active Directory and your XenServer hosts,
use you can use these two approaches to setup your DNS:
1. Set up your domain DNS suffix search order for resolving non-FQDNs:
xe pif-param-set uuid=<pif-uuid_in_the_dns_subnetwork> \
“other-config:domain=suffix1.com suffix2.com suffix3.com”
2. Configure the DNS server to use on your XenServer hosts:
xe pif-reconfigure-ip mode=static dns=<dnshost>
3. Manually set the primary management interface to use a PIF that is on the same network
as your DNS server:
xe host-management-reconfigure pif-uuid=<pif_in_the_dns_subnetwork>
Note:
External authentication is a per-host property. However, Citrix advises that you enable and
disable this on a per-pool basis – in this case XenServer will deal with any failures that occur
when enabling authentication on a particular host and perform any roll-back of changes that
may be required, ensuring that a consistent configuration is used across the pool. Use the
host-param-list command to inspect properties of a host and to determine the status of
external authentication by checking the values of the relevant fields.
Disabling external authentication
Use XenCenter to disable Active Directory authentication, or the following xe command:
xe pool-disable-external-auth
User Authentication
To allow a user access to your XenServer host, you must add a subject for that user or a group that they are in.
(Transitive group memberships are also checked in the normal way, for example: adding a subject for group A,
where group A contains group B and user 1 is a member of group B would permit access to user 1.) If