Manage users 编辑
Defining users, groups, roles and permissions allows you to control who has access to your Citrix Hypervisor servers and pools and what actions they can perform.
When you first install Citrix Hypervisor, a user account is added to Citrix Hypervisor automatically. This account is the local super user (LSU), or root, which Citrix Hypervisor authenticates locally.
The LSU, or root, is a special user account intended for system administration and has all permissions. In Citrix Hypervisor, the LSU is the default account at installation. Citrix Hypervisor authenticates the LSU account. LSU does not require any external authentication service. If an external authentication service fails, the LSU can still log in and manage the system. The LSU can always access the Citrix Hypervisor physical server through SSH.
You can create more users by adding the Active Directory accounts through either Citrix Hypervisor Center’s Users tab or the xe CLI. If your environment does not use Active Directory, you are limited to the LSU account.
Note:
When you create users, Citrix Hypervisor does not assign newly created user accounts RBAC roles automatically. Therefore, these accounts do not have any access to the Citrix Hypervisor pool until you assign them a role.
These permissions are granted through roles, as discussed in the Authenticating users with Active Directory (AD) section.
Authenticate users with Active Directory (AD)
If you want to have multiple user accounts on a server or a pool, you must use Active Directory user accounts for authentication. AD accounts let Citrix Hypervisor users log on to a pool using their Windows domain credentials.
Note:
You can enable LDAP channel binding and LDAP signing on your AD domain controllers. For more information, see Microsoft Security Advisory.
You can configure varying levels of access for specific users by enabling Active Directory authentication, adding user accounts, and assign roles to those accounts.
Active Directory users can use the xe CLI (passing appropriate -u and -pw arguments) and also connect to the host using Citrix Hypervisor Center. Authentication is done on a per-resource pool basis.
Subjects control access to user accounts. A subject in Citrix Hypervisor maps to an entity on your directory server (either a user or a group). When you enable external authentication, Citrix Hypervisor checks the credentials used to create a session against the local root credentials and then against the subject list. To permit access, create a subject entry for the person or group you want to grant access to. You can use Citrix Hypervisor Center or the xe CLI to create a subject entry.
If you are familiar with Citrix Hypervisor Center, note that the Citrix Hypervisor CLI uses slightly different terminology to refer to Active Directory and user account features: Citrix Hypervisor Center Term Citrix Hypervisor CLI Term Users Subjects Add users Add subjects
Even though Citrix Hypervisor is Linux-based, Citrix Hypervisor lets you use Active Directory accounts for Citrix Hypervisor user accounts. To do so, it passes Active Directory credentials to the Active Directory domain controller.
When you add Active Directory to Citrix Hypervisor, Active Directory users and groups become Citrix Hypervisor subjects. The subjects are referred to as users in Citrix Hypervisor Center. Users/groups are authenticated by using Active Directory on logon when you register a subject with Citrix Hypervisor. Users and groups do not need to qualify their user name by using a domain name.
To qualify a user name, you must type the user name in Down-Level log on Name format, for example, mydomain\myuser.
Note:
By default, if you did not qualify the user name, Citrix Hypervisor Center attempts to log in users to AD authentication servers using the domain to which it is joined. The exception to this is the LSU account, which Citrix Hypervisor Center always authenticates locally (that is, on the Citrix Hypervisor) first.
The external authentication process works as follows:
The credentials supplied when connecting to a server are passed to the Active Directory domain controller for authentication.
The domain controller checks the credentials. If they are invalid, the authentication fails immediately.
If the credentials are valid, the Active Directory controller is queried to get the subject identifier and group membership associated with the credentials.
If the subject identifier matches the one stored in the Citrix Hypervisor, authentication succeeds.
When you join a domain, you enable Active Directory authentication for the pool. However, when a pool joins a domain, only users in that domain (or a domain with which it has trust relationships) can connect to the pool.
Note:
Manually updating the DNS configuration of a DHCP-configured network PIF is unsupported and can cause AD integration, and therefore user authentication, to fail or stop working.
Configure Active Directory authentication
Citrix Hypervisor supports use of Active Directory servers using Windows 2008 or later.
To authenticate Active Directory for Citrix Hypervisor servers, you must use the same DNS server for both the Active Directory server (configured to allow interoperability) and the Citrix Hypervisor server. In some configurations, the active directory server can provide the DNS itself. This can be achieved either using DHCP to provide the IP address and a list of DNS servers to the Citrix Hypervisor server. Alternatively, you can set the values in the PIF objects or use the installer when a manual static configuration is used.
We recommend enabling DHCP to assign host names. Do not assign the hostnames localhost or linux to hosts.
Warning:
Citrix Hypervisor server names must be unique throughout the Citrix Hypervisor deployment.
Note the following:
Citrix Hypervisor labels its AD entry on the AD database using its hostname. If two Citrix Hypervisor servers with the same hostname are joined to the same AD domain, the second Citrix Hypervisor overwrites the AD entry of the first Citrix Hypervisor. The overwriting occurs regardless of whether the hosts belong to the same or different pools. This can cause the AD authentication on the first Citrix Hypervisor to stop working.
You can use the same host name in two Citrix Hypervisor servers, as long as they join different AD domains.
The Citrix Hypervisor servers can be in different time-zones, because it is the UTC time that is compared. To ensure that synchronization is correct, you can use the same NTP servers for your Citrix Hypervisor pool and the Active Directory server.
Mixed-authentication pools are not supported. You cannot have a pool where some servers in the pool are configured to use Active Directory and some are not).
The Citrix Hypervisor Active Directory integration uses the Kerberos protocol to communicate with the Active Directory servers. Therefore, Citrix Hypervisor does not support communicating with Active Directory servers that do not use Kerberos.
For external authentication using Active Directory to be successful, clocks on your Citrix Hypervisor servers must be synchronized with the clocks on your Active Directory server. When Citrix Hypervisor joins the Active Directory domain, the synchronization is checked and authentication fails if there is too much skew between the servers.
Warning:
Host names must consist solely of no more than 63 alphanumeric characters, and must not be purely numeric.
When you add a server to a pool after enabling Active Directory authentication, you are prompted to configure Active Directory on the server joining the pool. When prompted for credentials on the joining server, type Active Directory credentials with sufficient privileges to add servers to that domain.
Active Directory integration
Ensure that the following firewall ports are open for outbound traffic in order for Citrix Hypervisor to access the domain controllers.
| Port | Protocol | Use |
|---|---|---|
| 53 | UDP/TCP | DNS |
| 88 | UDP/TCP | Kerberos 5 |
| 123 | UDP | NTP |
| 137 | UDP | NetBIOS Name Service |
| 139 | TCP | NetBIOS Session (SMB) |
| 389 | UDP/TCP | LDAP |
| 445 | TCP | SMB over TCP |
| 464 | UDP/TCP | Machine password changes |
| 636 | UDP/TCP | LDAP over SSL |
| 3268 | TCP | Global Catalog Search |
For more information, see Communication Ports Used by Citrix Technologies.
Note:
To view the firewall rules on a Linux computer using iptables, run the following command:
iptables -nL.
Winbind
Citrix Hypervisor uses Winbind for authenticating Active Directory (AD) users with the AD server and to encrypt communications with the AD server.
Winbind does not support the following scenarios:
- Space at the beginning or end of a domain user or domain group name.
- Domain user names that contain 64 characters or more.
- Domain user names that include any of the special characters +<>"=/%@:,;\\\`
- Domain group names that include any of the special characters ,;\\\`
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论