
1.Configure the DNS server to use on your XenServer hosts:
xe
2.Manually set the management interface to use a PIF that is on the same network as your DNS server: xe
Note:
External authentication is a
Disabling external authentication
•Use XenCenter to disable Active Directory authentication, or the following xe command: xe
User authentication
To allow a user access to your XenServer host, you must add a subject for that user or a group that they are in. (Transitive group memberships are also checked in the normal way, for example: adding a subject for group A, where group A contains group B and user 1 is a member of group B would permit access to user 1.) If you wish to manage user permissions in Active Directory, you could create a single group that you then add and remove users to/from; alternatively, you can add and remove individual users from XenServer, or a combination of users and groups as your would be appropriate for your authentication requirements. The subject list can be managed from XenCenter or using the CLI as described below.
When authenticating a user, the credentials are first checked against the local root account, allowing you to recover a system whose AD server has failed. If the credentials (i.e.. username then password) do not match/authenticate, then an authentication request is made to the AD server – if this is successful the user's information will be retrieved and validated against the local subject list, otherwise access will be denied. Validation against the subject list will succeed if the user or a group in the transitive group membership of the user is in the subject list.
Note:
When using Active Directory groups to grant access for Pool Administrator users who will require host ssh access, the number of users in the Active Directory group must not exceed 500.
Allowing a user access to XenServer using the CLI
•To add an AD subject to XenServer:
xe
The entity name should be the name of the user or group to which you want to grant access. You may optionally include the domain of the entity (for example, '<xendt\user1>' as opposed to '<user1>') although the behavior will be the same unless disambiguation is required.
Removing access for a user using the CLI
1.Identify the subject identifier for the subject you wish to revoke access. This would be the user or the group containing the user (removing a group would remove access to all users in that group, providing they are not also specified in the subject list). You can do this using the subject list command:
5