Solved: Re: ESXi 4.1 gss_acquire_cred failed on login - Page 2

TBKDan · ‎09-01-2010

I have an ESXi 4.1 with the free license installed on a Dell Poweredge 1950. I joined it to our Active Directory domain and everything was working great until yesterday. Whenever anybody tries to login with "Use Windows Session Credentials" it fails with a simple dialog to the client stating "gss_acquire_cred failed" and "Ok". If I manually type in DOMAIN\username and the password, it logs in just fine. This is happening on both XP and Win7 clients. I originally thought it was an isolated client issue until I started getting it as well - I then saw the errors in the hostd.log on the server. I've tried rebooting the server with no effect. Any ideas?

~~2010-09-01 14:46:03.179 3B340B90 verbose 'HTTP server'~~ Sent response for HEAD /client/clients.xml (from /usr/lib/vmware/hostd/docroot)

~~2010-09-01 14:46:03.259 3B340B90~~ error 'GSSAPI' opID=ED424956-00000003 gss_acquire_cred failed: (0x000d0000, 0x96c73aa9)

~~2010-09-01 14:46:03.259 3B340B90 info 'App' opID=ED424956-00000003~~ AdapterServer caught exception: 3b6074b0

~~2010-09-01 14:46:03.259 3B340B90 info 'Vmomi' opID=ED424956-00000003~~ Activation : Invoke done on ~~vim.SessionManager:ha-sessionmgr~~

~~2010-09-01 14:46:03.259 3B340B90 verbose 'Vmomi' opID=ED424956-00000003~~ Arg base64Token:

~~-snip~~-

~~2010-09-01 14:46:03.260 3B340B90 verbose 'Vmomi' opID=ED424956-00000003~~ Arg locale:

"en_US"

~~2010-09-01 14:46:03.260 3B340B90 info 'Vmomi' opID=ED424956-00000003~~ Throw vmodl.fault.SystemError

~~2010-09-01 14:46:03.260 3B340B90 info 'Vmomi' opID=ED424956-00000003~~ Result:

(vmodl.fault.SystemError) {

dynamicType = <unset>,

faultCause = (vmodl.MethodFault) null,

{color:#ff0000}reason = "gss_acquire_cred failed",

msg = "",

}

mkennetha · ‎01-10-2011

I finally fixed this on my rig. The /etc/krb5-affinity.conf had references to a secondary domain controller that is no longer running. After deleting that entry and restarting lsassd, everything works!

TBKDan · ‎01-10-2011

I don't have a krb5-affinity.conf in my /etc... I do have it in /etc/likewise though. The entry for kdc was correct. I tried changing it to a different domain controller's IP and then restarted lsassd... no dice Same error for me. Glad that worked for you....

mkennetha · ‎01-10-2011

... oh, yeah that was the /etc/likewise/krb5-affinity.conf file on my machine too. Sorry that didn't work for you...

I'm curious to see if my setup stays fixed....

Nigel3 · ‎01-17-2011

I am fairly new to ESXi, how did you access /etc/likewise/krb5-affinity.conf, I have tried the vSphere CLI (vifs.pl) without much luck.

arkaifish · ‎02-03-2011

hmm.. I got the same problem too... any other solutions?

Error message only appears when "Use Windows Session Credentials" is selected!!! It log on ok if manually typed in domain\username and passsword.

I got nothing in /etc/likewise/krb5-affinity.conf files. :smileyconfused: We had two ESXi 4.1 servers and both getting the same error message. It was working fine for couple months.

Thanks!

arkaifish · ‎02-04-2011

PROBLEM SOLVED!!!!!!!!! :smileylaugh:

We installed the latest VMware ESXi 4.1 Patch and fixed the problem!!!!!

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102702...

Nigel3 · ‎02-09-2011

Installed the patch without any luck here.

I also managed to work out how to view the /etc/likewise/krb5-affinity.conf file and all of the entries are valid.

The error I am getting is:

"Cannot complete login due to an incorrect user name or password."

I can still get in if I manually put in the username and password, anyone have any other ideas?

pmatthaei · ‎02-17-2011

I have got the same on one ESXi 4.1 server (and we have got two equal ones).

Both are up-to-date with the newest patches installed.

PGITDept · ‎03-03-2011

Another one to add to the list of people suffering this issue.

We currently have 2 ESXi 4.1 U1 hosts. One allows us to put the tick in the box to pass through user details, the other is failing with gss_aquire_cred failed: when attempting to open the vSphere client. I have spent the last two days comparing pretty much every file via SSH between the two hosts. I have uninstalled and reinstalled the vSphere client on the workstation. I can SSH in using a Windows AD account so I know that the authentication is working correctly. I can add accounts under the permissions tab and browse the list of users and computers. I can also run kinit from an SSH session and successfully authenticate with the domain.

I am loathed to reinstall ESXi on the host, I have gone through google and this is the only thread out there. I have gone through all articles I can find with regards to the gss_aquire_cred failing.

To sum up:

vSphere Client

Login via root works

Login via DOMAIN\Username and password works

Login using Use Windows session credentials fails

SSH

Login via root works

Login via username@DOMAIN.TLD works

So, has anyone managed to successfully resolve this at all?

Many thanks

Mark

pmatthaei · ‎03-03-2011

I also did the same (compare the files, restarted services, checked the system time etc) and didn't found any difference.

Then I also notified, that checking for updates with the update manager also failed.

The fix was... restarting the whole ESX host, didn't appear again..

PGITDept · ‎03-03-2011

Restart or Re-Install pmatthaei?

pmatthaei · ‎03-03-2011

Restart.

PGITDept · ‎03-03-2011

OK I have managed to resolve this without a reboot or reinstall

It was pmatthaei's post about the updates that put me in the right line. I tried an update and it returned error 10. Googling it I found a post from ThomasMc and he had problems with the /var/tmp/cache folder. I checked the var/tmp and it was missing although the link was there. So in my case the fix was to

cd /scratch

mkdir var

cd var

mkdir tmp

After that it worked a treat. I did run the find command to find missing/invalid links but for some reason this one didn't turn up. As soon as these were created I was able to scan for updates but more importantly Log in using the Windows Session credentials as we were after

Result!

Nigel3 · ‎03-03-2011

Have tried all of these suggestions without any luck, anyone have any other ideas?

TBKDan · ‎03-04-2011

My host already had the /var/tmp folder, but was missing the cache folder within there. I added it but still no difference. I did notice, however, that SSH logins using username@domain.tld does, in fact, work, even though the vSphere client throws the gss_acquire_cred failed message. Interesting....

PGITDept · ‎03-04-2011

OK from an SSH session do the following:

cd /

find . -type l | (while read FN ; do test -e "$FN" || ls -ld "$FN"; done)

If that returns any links that are missing, make sure you create all the relevant directories that will be on the right

That's all that was missing for me

TBKDan · ‎03-04-2011

I ran the snippet and found one missing link for the upgrades folder. I created the folder but I'm still getting the error

VMWareUser2011 · ‎03-08-2011

I had the same problem on my ESXi 4.1 Update 1 server managed by a vCenter server.

I resolved this problem by doing this steps:

1) Remove the ESXi server from the domain

2) Delete the computer account from AD

3) Remove the ESXi server from the vCenter server

4) Reboot the ESXi server

5) Add the ESXi server to the domain

6) Add the ESXi server to the vCenter server

Now I have no probelms connecting to the ESXi server directly with the vSphere Client with the pass through authentication method.

PS: I'm not sure if it necessary to reboot the ESXi server.

Nigel3 · ‎03-08-2011

Tried the siggestion VMWareUser2011 without any luck (although my host is a standalone and and not connected to a vCenter server, I just removed it from the domain and added it back after rebooting).

hpn99 · ‎03-09-2011

An interesting discussion is going on here now. I tried most suggestions but nothing worked on my system.

The only thing I didn't tried was to install the latest update. It seams that this also doesn't solve all variants of the problem, and with my luck ....

But I also have some more problems: My standalone ESXi's loose their recource pool configurations on a reebot. But every time the behaviour is different. sometimes it looses all resource pools, sometimes it looses only a part of the resource pools, sometimes the VM's are moved to diffrent resource pools. Yes I now it's unbelievable but that really happens.

I'm realy disappointed by the 4.1 version of the ESXi.

I also use ESX 4.0U2 with vCenter and no problems. And originaly I wanted to upgrade the 4.0U2 Systems to 4.1. But with this problems that I have with my 4.1’s, I won't do it until VMWare releases a stable 4.1.

All

ESXi 4.1 gss_acquire_cred failed on login