Professional Documents
Culture Documents
Citrix Hypervisor Manage Users
Citrix Hypervisor Manage Users
Citrix Hypervisor Manage Users
Manage users
Defining users, groups, roles and permissions allows you to control who has access to
your Citrix Hypervisor servers and pools and what actions they can perform.
When you first install Citrix Hypervisor, a user account is added to Citrix Hypervisor
automatically. This account is the local super user (LSU), or root, which Citrix
Hypervisor authenticates locally.
The LSU, or root, is a special user account intended for system administration and has
all permissions. In Citrix Hypervisor, the LSU is the default account at installation.
Citrix Hypervisor authenticates the LSU account. LSU does not require any external
authentication service. If an external authentication service fails, the LSU can still log in
and manage the system. The LSU can always access the Citrix Hypervisor physical
server through SSH.
You can create more users by adding the Active Directory accounts through either
XenCenter’s Users tab or the xe CLI. If your environment does not use Active
Directory, you are limited to the LSU account.
Note:
When you create users, Citrix Hypervisor does not assign newly created user accounts
RBAC roles automatically. Therefore, these accounts do not have any access to the
Citrix Hypervisor pool until you assign them a role.
These permissions are granted through roles, as discussed in the Authenticating users
with Active Directory (AD) section.
If you want to have multiple user accounts on a server or a pool, you must use Active
Directory user accounts for authentication. AD accounts let Citrix Hypervisor users log
on to a pool using their Windows domain credentials.
You can configure varying levels of access for specific users by enabling Active
Directory authentication, adding user accounts, and assign roles to those accounts.
Active Directory users can use the xe CLI (passing appropriate -u and -pw arguments)
and also connect to the host using XenCenter. Authentication is done on a per-resource
pool basis.
Even though Citrix Hypervisor is Linux-based, Citrix Hypervisor lets you use Active
Directory accounts for Citrix Hypervisor user accounts. To do so, it passes Active
Directory credentials to the Active Directory domain controller.
When you add Active Directory to Citrix Hypervisor, Active Directory users and groups
become Citrix Hypervisor subjects. The subjects are referred to as users in XenCenter.
Users/groups are authenticated by using Active Directory on logon when you register a
subject with Citrix Hypervisor. Users and groups do not need to qualify their user name
by using a domain name.
To qualify a user name, you must type the user name in Down-Level log on Name
format, for example, mydomain\myuser.
Note:
By default, if you did not qualify the user name, XenCenter attempts to log in users to
AD authentication servers using the domain to which it is joined. The exception to this
is the LSU account, which XenCenter always authenticates locally (that is, on the Citrix
Hypervisor) first.
1. The credentials supplied when connecting to a server are passed to the Active
Directory domain controller for authentication.
2. The domain controller checks the credentials. If they are invalid, the
authentication fails immediately.
3. If the credentials are valid, the Active Directory controller is queried to get the
subject identifier and group membership associated with the credentials.
4. If the subject identifier matches the one stored in the Citrix Hypervisor,
authentication succeeds.
When you join a domain, you enable Active Directory authentication for the pool.
However, when a pool joins a domain, only users in that domain (or a domain with
which it has trust relationships) can connect to the pool.
Note:
To authenticate Active Directory for Citrix Hypervisor servers, you must use the same
DNS server for both the Active Directory server (configured to allow for
interoperability) and the Citrix Hypervisor server. In some configurations, the active
directory server can provide the DNS itself. This can be achieved either using DHCP to
provide the IP address and a list of DNS servers to the Citrix Hypervisor server.
Alternatively, you can set the values in the PIF objects or use the installer when a
manual static configuration is used.
We recommend enabling DHCP to assign host names. Do not assign the hostnames
localhost or linux to hosts.
Warning:
Citrix Hypervisor server names must be unique throughout the Citrix Hypervisor
deployment.
Citrix Hypervisor labels its AD entry on the AD database using its hostname. If
two Citrix Hypervisor servers with the same hostname are joined to the same
AD domain, the second Citrix Hypervisor overwrites the AD entry of the first
Citrix Hypervisor. The overwriting occurs regardless of whether the hosts
belong to the same or different pools. This can cause the AD authentication on
the first Citrix Hypervisor to stop working.
You can use the same host name in two Citrix Hypervisor servers, as long as
they join different AD domains.
Host names must consist solely of no more than 63 alphanumeric characters, and must
not be purely numeric.
When you add a server to a pool after enabling Active Directory authentication, you are
prompted to configure Active Directory on the server joining the pool. When prompted
for credentials on the joining server, type Active Directory credentials with sufficient
privileges to add servers to that domain.
Ensure that the following firewall ports are open for outbound traffic in order for Citrix
Hypervisor to access the domain controllers.
Notes:
To view the firewall rules on a Linux computer using iptables, run the
following command: iptables - nL.
Citrix Hypervisor uses PowerBroker Identity Services (PBIS) to
authenticate the AD user in the AD server, and to encrypt
communications with the AD server.
How does Citrix Hypervisor manage the machine account password for
AD integration?
Similarly to Windows client machines, PBIS automatically updates the machine account
password. PBIS renews the password every 30 days, or as specified in the machine
account password renewal policy in the AD server.
copy
xe pool-enable-external-auth auth-type=AD \
service-name=full-qualified-domain \
config:user=username \
config:pass=password
If you are not using DHCP on the network used by Active Directory and your Citrix
Hypervisor servers, use the following approaches to set up your DNS:
1. Set up your domain DNS suffix search order for resolving non-FQDN entries:
copy
xe pif-param-set uuid=pif_uuid_in_the_dns_subnetwork \
"other-config:domain=suffix1.com suffix2.com suffix3.com"
copy
xe pif-reconfigure-ip mode=static dns=dnshost ip=ip \
gateway=gateway netmask=netmask uuid=uuid
3. Manually set the management interface to use a PIF that is on the same network
as your DNS server:
copy
xe host-management-reconfigure pif-
uuid=pif_in_the_dns_subnetwork
Note:
copy
xe pool-disable-external-auth
User authentication
To allow a user access to your Citrix Hypervisor server, you must add a subject for that
user or a group that they are in. (Transitive group memberships are also checked in the
normal way. For example, adding a subject for group A, where group A contains group B
and user 1 is a member of group B would permit access to user 1.) If you want to
manage user permissions in Active Directory, you can create a single group that you
then add and delete users to/from. Alternatively, you can add and delete individual users
from Citrix Hypervisor, or a combination of users and groups as appropriate for your
authentication requirements. You can manage the subject list from XenCenter or using
the CLI as described in the following section.
When authenticating a user, the credentials are first checked against the local root
account, allowing you to recover a system whose AD server has failed. If the credentials
(user name and password) do not match, then an authentication request is made to the
AD server. If the authentication is successful, the user’s information is retrieved and
validated against the local subject list. Access is denied if the authentication fails.
Validation against the subject list succeeds if the user or a group in the transitive group
membership of the user is in the subject list.
Note:
When using Active Directory groups to grant access for Pool Administrator users who
require host ssh access, the number of users in the Active Directory group must not
exceed 500.
copy
xe subject-add subject-name=entity_name
The entity_name is the name of the user or group to which you want to grant access.
You can include the domain of the entity (for example, ‘xendt\user1’ as opposed to
‘user1’) although the behavior is the same unless disambiguation is required.
Find the user’s subject identifier. The identifier is the user or the group containing the
user. Removing a group removes access to all users in that group, provided they are not
also specified in the subject list. Use the subject list command to find the user’s
subject identifier. :
copy
xe subject-list
To apply a filter to the list, for example to find the subject identifier for a user user1 in
the testad domain, use the following command:
copy
xe subject-list other-config:subject-name='testad\user1'
Remove the user using the subject-remove command, passing in the subject identifier
you learned in the previous step:
copy
xe subject-remove subject-uuid=subject_uuid
You can end any current session this user has already authenticated. For more
information, see Terminating all authenticated sessions using xe and Terminating
individual user sessions using xe in the following section. If you do not end sessions,
users with revoked permissions may continue to access the system until they log out.
Run the following command to identify the list of users and groups with permission to
access your Citrix Hypervisor server or pool:
copy
xe subject-list
When a user is authenticated, they can access the server until they end their session, or
another user ends their session. Removing a user from the subject list, or removing them
from a group that is in the subject list does not automatically revoke any already-
authenticated sessions that the user has. Users can continue to access the pool using
XenCenter or other API sessions that they have already created. XenCenter and the CLI
provide facilities to end individual sessions, or all active sessions forcefully. See the
XenCenter help for information on procedures using XenCenter, or the following
section for procedures using the CLI.
Run the following CLI command to end all authenticated sessions using xe:
copy
xe session-subject-identifier-logout-all
1. Determine the subject identifier whose session you want to log out. Use either
the session-subject-identifier-list or subject-list xe commands to
find the subject identifier. The first command shows users who have sessions.
The second command shows all users but can be filtered. For example, by using
a command like xe subject-list other-config:subject-
name=xendt\\user1. You may need a double-backslash as shown depending on
your shell).
2. Use the session-subject-logout command, passing the subject identifier you
have determined in the previous step as a parameter, for example:
copy
xe session-subject-identifier-logout subject-
identifier=subject_id
Leave an AD domain
Warning:
When you leave the domain (that is, disable Active Directory authentication and
disconnect a pool or server from its domain), any users who authenticated to the pool or
server with Active Directory credentials are disconnected.
Use XenCenter to leave an AD domain. See the XenCenter help for more information.
Alternately run the pool-disable-external-auth command, specifying the pool uuid
if necessary.