VMware Cloud Community
Roger1001
Contributor
Contributor

Adding ESXi node to vSphere

I have deployed some new test systems using the latest ESXi (7.03c) and vSphere (client reports 7.0.3.00600) and they are all set up with the shipped eval licenses.

The vSphere web client can import the ESXi node with no problem if I use the default root account on the ESXi node, but if I create another admin account on the ESXi node the import process fails with a pop-up box right at the end of the process

  • Task name Add standalone host
  • Target Datacenter
  • Status Cannot complete login due to an incorrect user name or password.

The same info gets added to the Recent task list.

This new account allows the import process to connect and access details such as license details and the VM list so is a working account and at the ESXi cli  'esxcli system permission list' the account is shown as Admin with full access rights.

Has anyone got any hints on what to do next?

Reply
0 Kudos
8 Replies
crmercado
Enthusiast
Enthusiast

The error it reports is a user and password problem. Can you verify the SSH or UI connection to the host with that new user?

Reply
0 Kudos
Roger1001
Contributor
Contributor

The new account correctly ends up with admin/root access to the ESXi console and SSH sessions. As I noted esxcli shows that it has exactly the same permissions as the root account.

Reply
0 Kudos
continuum
Immortal
Immortal

> The vSphere web client can import the ESXi node with no problem if I use the default root account on the ESXi node,

If you already added the host to vCenter why do it again ?
Cant you claim : Mission accomplished and call it a day ?


________________________________________________
Do you need support with a VMFS recovery problem ? - send a message via skype "sanbarrow"
I do not support Workstation 16 at this time ...

Reply
0 Kudos
Kinnison
Expert
Expert

Hi,


May help to take a look at this article titled: Adding ESXi 7 to vCenter Server with non-root user (79905), https://kb.vmware.com/s/article/79905

Maybe I'm wrong (it happens), I think the reasons for the request from the OP is to avoid using the default ROOT account for certain activities unless absolutely necessary.


Regards,
Ferdiando

Reply
0 Kudos
Roger1001
Contributor
Contributor

>If you already added the host to vCenter why do it again ?
>Cant you claim : Mission accomplished and call it a day ?

Because when you are renting a hosted server that only has services on a public IP address the use of root as an account is not that helpful. Add in the need to support a number of home workers who are all working from home with changing IP addresses it all gets rather complicated.

All in all, it helps if VMWARE would consider environments beyond the nice old days of dedicated data centres behind layers of dedicated firewalls and security gateways.

Even in a nice safe dedicated environment rather a lot of businesses now have a firm IT security policy that is 'DO NOT USE ROOT' so this limitation is a problem.

Reply
0 Kudos
Roger1001
Contributor
Contributor

> May help to take a look at this article titled: Adding ESXi 7 to vCenter Server with non-root user (79905), https://kb.vmware.com/s/article/79905

Thanks, that script looks complicated enough to be the right answer in a VMWARE world, so I'll give it a try tomorrow and let you know the outcome.

Reply
0 Kudos
Kinnison
Expert
Expert

Hi,

IMHO,


A good approach shared by many people is to not use accounts with privileges beyond what is necessary and as little as possible (i.e. when you can do without them as much as possible) any kind of default "administrative account". Certain login credentials, the less circulating the better, and from my point of view it is a principle that is as valid today as it was a few decades ago.

It is the method I used in the context of my computer lab when I implemented vSphere 7.0GA.


Regards,
Ferdinando

Reply
0 Kudos
Roger1001
Contributor
Contributor

> May help to take a look at this article titled: Adding ESXi 7 to vCenter Server with non-root user (79905), https://kb.vmware.com/s/article/79905

Yes, this script does seem to solve the problem. While it is not clear from the text shown in the script it promotes an already defined user to one that vSphere can use to manage its session to an ESXi server.

The outcome of this is

- bad - there is a hidden permission that does not show up in the ESXi GUI that grants a defined account the right to be used as a means for vSphere to connect to the ESXi node.

- good - all the other visible permissions/roles that can be seen from the ESXi GUI are honoured, so an account with just read only access can not be used to link vSphere to ESXi.

Reply
0 Kudos