We have two AD domains in separate forests, with a two-way trust between the forests. Users from domain A can log in to machines on domain B and vice versa. Domain Local security groups allow users from domain B to exist in a group along with domain A users in domain A.
In our previous vSphere 4.1U2 installation (and in prior releases), we were able to use these domain local groups to have one set of permissions throughout our cluster. Assigning a role to one of these groups would extend the permissions to all members of the group, regardless of domain.
With 5.1, the same permissions we had no longer work the same way. Users from domain A in the group get the permissions they expect, but users from domain B are ignored completely. Users who used to be able to log in to the vSphere client cannot even log in anymore. These users can log in to the web client, but do not have permissions to interact with any VM objects.
We worked around the problem by creating a separate set of groups in domain B, adding the domain B users to those groups and then adding permissions for those groups throughout our cluster. This took a long time, and now when we need to add permissions for a particular user, we may have to do so in two different places. Additionally, since naming schemes are not identical between domains A and B, we have to remember that this group in domain A has a differently-named counterpart in domain B. It's a step backwards in functionality.
I filed a support ticket about this but I was not able to effectively communicate the problem to the support representative. The answer I received was basically that users have to be given permissions in order to receive them, which was not helpful at all.
Has anyone else run into this issue? Did we just miss something obvious? Was there a better workaround than our copy-everything solution?