VMware Cloud Community
P4thos
Enthusiast
Enthusiast
‎12-13-2018 04:50 AM

vmware 5.5 - A user can't browse datastore anymore

Hello,

Since last Friday, we are encountering a strange behavior: Our backup Team has reported to us they are not able anymore to backup VM's because of some missing permissions.

This is strange as everything was working fine.

We had a look at the vCenter side and using the web client , trying to browse datastores , nothing appears ( no files are listed ).

We had a look at the user permissions and the user is in the administrator group with all the access.

We have ask our backup team to test with a another user also part of the administrator group and everything is working. We can browse the datastore using vSphere Web Client.

We have change the permission of the user from administrator to read-only and move it back to the administrator group : same issue.

vCenter ( windows ) has been completely rebooted.

No updates ( vmware or windows ) have been applied.

Does someone already encounter the same issue ?

Any clue where to look at ?

Infrastructure is running vsphere 5.5 and vcenter 5.5 ( unfortunately it can't be upgraded to v6 for the moment )

Thanks in advance for your help and advise

0 Kudos
9 Replies
Shard201110141
VMware Employee
VMware Employee
‎12-13-2018 06:21 AM

Can connect to one of the host directly (taking vCenter out of the equation) what do you see?

Have you tried clone/copy the the account and reviewing the Data Stores from the new account?

Can you view the datastore from the admin account?

The only thing I can think off is database issue

0 Kudos
P4thos
Enthusiast
Enthusiast
‎12-13-2018 07:29 AM

Yes If I connect directly to the host ( via vsphere client and using root account ) I can browse the datastore.

The account is an account from AD. I can't clone it. But I have used another account from that AD, give the administrator role to that new account and everything is ok.

If I use the administrator account or an account which has the right to browse datastore, it works.

I have try to clone the administrator role and assign the problematic user to that new role. Same issue Smiley Sad

Maybe you right there is something wrong in the DB related to that user

0 Kudos
Shard201110141
VMware Employee
VMware Employee
‎12-13-2018 07:54 AM

Yeah thats though one, maybe a brandnew user account as that would write a new entry into the DB?

0 Kudos
P4thos
Enthusiast
Enthusiast
‎12-13-2018 08:42 AM

Creating a new user on the local Domain, everything is working.

I'm not managing the AD , I need to ask the team managing it to create a new user and see if the problem persist with the new user. I keep this post up to date once I have news

The issue is not blocking us as we use a workaround which is to use another user from the AD. But I would like to understand what happen and if there is a solution to solve it.

The user we use has a particular name that has been declared in some ISO documentation. If the ISO documentation need to be modify by adding a new user, this is not a problem but I would avoid some administrative work if the problem can be understand and solve technically

By the way, thanks for helping Smiley Wink

0 Kudos
a_p_
Leadership
Leadership
‎12-13-2018 11:46 AM

That's an interesting one.

When you talk about the "administrator group", what exactly are you referring to. Is it the local Windows Administrator group, or is it an administrator group that being used to configure permissions in the vCenter Server inventory?

Are the current user account, and the one that works member of the same domain groups?

André

0 Kudos
P4thos
Enthusiast
Enthusiast
‎12-14-2018 12:22 AM

Hi André,

By "administrator group" I'm mean the one being used to configure permissions in the vCenter Server inventory.

Yes both user are coming from the same domain group

Thanks for helping

0 Kudos
a_p_
Leadership
Leadership
‎12-14-2018 02:01 AM

Just to be sure I understand this correctly:

  • the vCenter Server is joined to the AD domain
  • the AD domain has been added to vCenter as an Identity Source
  • the user is member of a global AD domain group
  • the global AD group has permissions in the inventory with "All permissions" ("Administrator" role), and "Propagate to children" is enabled

André

0 Kudos
P4thos
Enthusiast
Enthusiast
‎12-14-2018 02:23 AM

Hi Andre,

This is exactly that !

We have made some test and we found the problem.

I explain you what we did :

The problematic user has been cloned on AD directory. I give him the administrator access on vsphere => same issue. Can't browse datastore

We have change the name of the cloned user => same issue.

We have move that user in another OU in AD => same issue.

The problem user was part of several group ( member of ) on AD Side. We remove some groups and magically everything was working !

One by one, we put back the group until the problem reappear.  We have identify the problematic group.

It seems that if the User is a member of a particular group ( in that case, group is VPN_Access ) , the user is not able to browse datastore.

I don't understand what could cause that conflict ! We will have a look at the VPN_Access group to see if something has changed

0 Kudos
a_p_
Leadership
Leadership
‎12-14-2018 03:17 AM

The only thing that I can think of, is that the VPN_Access group is also being used somewhere within the vCenter Server's permissions!? And this group has restricted permissions on some objects.


André

0 Kudos