VMware Cloud Community
VirtualChadd
Contributor
Contributor
‎04-11-2016 04:27 PM

AD authentication problems - big tokens

Hello,

I've been struggling with this issue for a bit, and wanted o see if anyone has encountered this. We have a few ESXi 6.0 boxes that we want to join to our domain so we can leverage our existing security groups and user accounts. Adding the servers to AD went fine, but I can't authenticate with domain credentials. I can search the domain for users and groups and add permissions for them, but if I attempt to log into a server with domain credentials I get "wrong user name or password" errors.

The following messages appear in syslog. I'm assuming I need to change the max packet size, and I believe that is located in; /etc/likewise/openldap/ldap.conf, but I get write errors when editing the file. Right now I'm looking at creating a VIB file to overwrite ldap.conf, but I'm hoping there is an easier way.

Any ideas/help would be life saving. Thanks!

2016-04-11T23:07:45Z lwsmd: [netlogon] Looking for a DC in domain 'EN.AD.FAKEDOMAIN.COM', site '<null>' with flags 0

2016-04-11T23:07:47Z lwsmd: [netlogon] Determining the current time for domain 'EN.AD.FAKEDOMAIN.COM'

2016-04-11T23:07:47Z lwsmd: [netlogon] Looking for a DC in domain 'EN.AD.FAKEDOMAIN.COM', site '<null>' with flags 10

2016-04-11T23:07:49Z lwsmd: [lsass] Delayed backup scheduled

2016-04-11T23:07:49Z lwsmd: encoded packet size too big (6212 > 4096)

2016-04-11T23:07:49Z lwsmd: [netlogon] Looking for a DC in domain 'EN.AD.FAKEDOMAIN.COM', site '<null>' with flags 0

2016-04-11T23:07:49Z lwsmd: [lsass] Clearing ldap DC connection list for domain 'EN.AD.FAKEDOMAIN.COM' due to a network error.

2016-04-11T23:07:49Z lwsmd: encoded packet size too big (6212 > 4096)

2016-04-11T23:07:49Z lwsmd: [lsass] Error code 40286 occurred during attempt 1 of a ldap search. Retrying.

2016-04-11T23:07:49Z lwsmd: [lsass] Clearing ldap DC connection list for domain 'EN.AD.FAKEDOMAIN.COM' due to a network error.

2016-04-11T23:07:49Z lwsmd: encoded packet size too big (6212 > 4096)

2016-04-11T23:07:49Z lwsmd: [lsass] Clearing ldap DC connection list for domain 'EN.AD.FAKEDOMAIN.COM' due to a network error.

2016-04-11T23:07:49Z lwsmd: encoded packet size too big (6212 > 4096)

2016-04-11T23:07:49Z lwsmd: [lsass] Failed to group memberships of SID=S-1-5-21-2818305011-3454714370-2203712527-25848. [error code:40286]

2016-04-11T23:07:49Z lwsmd: [lsass] Failed to authenticate user (name = 'EN\fakeuser') -> error = 40286, symbol = LW_ERROR_LDAP_SERVER_DOWN, client pid = 34128

0 Kudos
5 Replies
Techie01
Hot Shot
Hot Shot
‎04-11-2016 08:05 PM

Are you seeing this issue in 60 update 1 or 60 update 2. Can you share 'vmware -lv' output

0 Kudos
wraydroth
Contributor
Contributor
‎05-04-2016 05:06 AM

Hello,

having same issue - also syslog saying that token size is too big.

Syslog output (I replaced domain name):

2016-05-04T11:49:10Z lwsmd: [lsass] Error code 40286 occurred during attempt 0 of a ldap search. Retrying.

2016-05-04T11:49:10Z lwsmd: [netlogon] Looking for a DC in domain 'DOMAIN', site '<null>' with flags 0

2016-05-04T11:49:10Z lwsmd: [lsass] Clearing ldap DC connection list for domain 'DOMAIN' due to a network error.

2016-05-04T11:49:10Z lwsmd: encoded packet size too big (7142 > 4096)

2016-05-04T11:49:10Z lwsmd: [lsass] Error code 40286 occurred during attempt 1 of a ldap search. Retrying.

2016-05-04T11:49:10Z lwsmd: [netlogon] Looking for a DC in domain 'DOMAIN', site '<null>' with flags 0

2016-05-04T11:49:10Z lwsmd: [lsass] Clearing ldap DC connection list for domain 'DOMAIN' due to a network error.

2016-05-04T11:49:10Z lwsmd: encoded packet size too big (7142 > 4096)

2016-05-04T11:49:10Z lwsmd: [lsass] Error code 40286 occurred during attempt 2 of a ldap search. Retrying.

2016-05-04T11:49:10Z lwsmd: [netlogon] Looking for a DC in domain 'DOMAIN', site '<null>' with flags 0

2016-05-04T11:49:10Z lwsmd: [lsass] Clearing ldap DC connection list for domain 'DOMAIN' due to a network error.

2016-05-04T11:49:10Z lwsmd: encoded packet size too big (7142 > 4096)

Output from vmware-lv:

VMware ESXi 6.0.0 build-3620759

VMware ESXi 6.0.0 Update 2

Did you have luck changing the max token size at /etc/likewise/openldap/ldap.conf ? Because as you said - its at read-only file and I didnt found way how to change it.

Or did you find any other solution?

Thanks,

0 Kudos
WellesleySysAdm
Contributor
Contributor
‎05-24-2016 01:40 PM

I am experiencing a similar problem with ESXi 6.0.0 Update 2 (build 3825889) with regard to authentication problems, and I have similar errors for large token sizes. I was able to change the contents of the ldap.conf file by:

- rename the file ($ mv ldap.conf oldldap.conf)

- create a new ldap.conf file with new information ($ cat oldldap.conf | sed -e 's/4096/8192/' > ldap.conf)

- delete the previous ldap.conf file.

However, this does not appear to have alleviated my problems. If you try this method to change the file, could you respond as to whether it provides any relief for the authentication issues?

0 Kudos
WellesleySysAdm
Contributor
Contributor
‎05-24-2016 02:13 PM

I was able to replace the 'ldap.conf' file (rather than modify it), but it was overwritten with the original value on restart.

0 Kudos
lhuk
Contributor
Contributor
‎06-03-2016 03:31 AM

I too was experiencing similar problems. This bug is now covered in KB2145400:

VMware KB: Actions performed against Active Directory may fail after upgrading to ESXi 6.0 Update 2

However the information in this thread also helped because in my case:

lwsmd: encoded packet size too big (25574 > 4096)

Setting the buffer to a sufficiently large enough size does the trick. This memory limit issue has plagued ESXi for several versions now when used with large AD structures. The trouble is it seems it is no longer trivial to increase the tiny default memory reservation. Good job this this not an enterprise product... Smiley Wink

0 Kudos