Authenticating Users and Running Virtual Machines on a GSX Server for Linux Host

GSX Server for Linux uses Pluggable Authentication Modules (PAM) for user authentication in the VMware Virtual Machine Console and the VMware Management Interface. The default installation of GSX Server uses standard Linux /etc/passwd authentication, but can be configured to use LDAP, NIS, Kerberos or another distributed authentication mechanism.

Every time you connect to the GSX Server host with the VMware Virtual Machine Console or VMware Management Interface, the inetd or xinetd process runs an instance of the VMware authentication daemon (vmware-authd). The vmware-authd process requests a username and password, then hands them off to PAM, which performs the authentication.

Once you are authenticated, the console starts or the management interface's Status Monitor page appears. What you can now do with the virtual machines is based on your permissions. See Understanding Permissions and Virtual Machines.

The vmware-authd process starts a virtual machine process as the owner of the configuration file, not as the user connecting to the virtual machine. However, the user is still restricted by his or her permissions on the configuration file.

Note: Even if you have full permissions on a configuration file, but you do not have execute permission to the directory in which the configuration file resides or any of its parent directories, then you cannot connect to the virtual machine with a VMware Virtual Machine Console or a VMware Scripting API. Furthermore, you cannot see the virtual machine in the VMware Management Interface or in the VMware Virtual Machine Console. Nor can you delete any files in the virtual machine's directory.

Note: Virtual machines and their resources (such as virtual disks, physical disks, devices and snapshot files) should be located in areas accessible to their users.

If a vmware process is not running for this configuration file, vmware-authd checks to see if this virtual machine is in the inventory. If the virtual machine is in the inventory, vmware-authd becomes the owner of the configuration file (not necessarily the user that is currently authenticated) and starts the console with this configuration file as an argument (for example, vmware /<path_to_config>/<configfile>.vmx).

The vmware-authd process exits as soon as a connection is established to a vmware process and at least one user has connected. Each vmware process shuts down automatically after the last user disconnects.

When you create a virtual machine with GSX Server on a Linux host, its configuration file is assigned the following default permissions, based on the user accessing it:

When you first install the GSX Server software and run the configuration program vmware-config.pl, you can set these permissions for any existing virtual machine configuration files. If you plan to use a virtual machine and its configuration file you created in other VMware products with GSX Server, you must open the configuration file (choose File > Open Virtual Machine) in order to connect to the virtual machine from the VMware Virtual Machine Console or the VMware Management Interface, then set the default permissions as above.

If the virtual machine is located on an NFS share, make sure the root user has access to the location of the virtual machine files. Otherwise, you may encounter problems configuring the virtual machine.

If you create a virtual machine on an NFS share to which the root user has no access, certain operations do not work when the virtual machine is not running. For example, you cannot revert to a snapshot, add or remove devices to or from the virtual machine, or otherwise change the virtual machine's configuration.