VMware Cloud Community
waxcab
Contributor
Contributor
Jump to solution

ESXi 6.5 cannot login with new local user

I have a single host that is managed by vCenter 6.5 and there in vCenter read-only AD user defined in global permission. The other 6.5 ESXis have local user and I'm able to connect to them.

The problem is that I cannot connect with ssh or web ui "Cannot complete login due to an incorrect user name or password."; "A user attempted to log in with an unknown or invalid username".

I've tried re-adding user in vCenter, creating local one on host via web ui and powercli, still no luck.

I have to notice that vCenter defined user's password doesn't meet ESXi 6.5 complexity, I also tried setting "Security.PasswordQualityControl" to "retry=3 min=disabled,disabled,disabled,disabled,disabled" (it was default) and got "a general system error occurred: Sorry, you've mistyped the password that was generated for you." while trying to create local user on host.

So how do I create a read-only user for monitoring?

1 Solution

Accepted Solutions
KabirAli82
Expert
Expert
Jump to solution

Is the user listed when doing;

cat /etc/security/access.conf


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_

View solution in original post

17 Replies
rahul_vlp
Enthusiast
Enthusiast
Jump to solution

waxcab​ Asking the questions in right community will help you to get quicker answer.

Try posting the question under VMware vSphere™  Forum.

KabirAli82
Expert
Expert
Jump to solution

Are you sure you created the user correctly?

Log on to an ESXi host -> Manage -> Security & users -> Users -> Add user -> complete "Add a user"

When completed:

Host -> Actions -> Permissions -> Add user -> enter newly created user name -> select read-only from the right drop down menu -> optional: propagate to all children


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
vMarkusK1985
Expert
Expert
Jump to solution

Which user have you used to add the Host to vCenter? Does this Account work via SSH and Host Client?

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK
Reply
0 Kudos
waxcab
Contributor
Contributor
Jump to solution

I'm sure, I made exact these steps as root, which can login via ssh

Reply
0 Kudos
vMarkusK1985
Expert
Expert
Jump to solution

Try the following procedure:

  1. Set "Security.PasswordQualityControl" -> "retry=3 min=disabled,disabled,disabled,7,7" (Example: ESXi Passwords and Account Lockout )
  2. Make sure Lockdown mode is not anbaled
  3. Reset the password of the new user via SSH (passwd <you user>) as root
  4. Try login via SSH with the new user
https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK
Reply
0 Kudos
waxcab
Contributor
Contributor
Jump to solution

Security.PasswordQualityControl is already set to retry=3 min=disabled,disabled,disabled,7,7

Lockdown mode disabled on host

I can see my user in host's permission as read-only

I set a new password for my user, but still can't login nor with ssh or web ui

Reply
0 Kudos
KabirAli82
Expert
Expert
Jump to solution

Open a SSH session with root and fire up this command;

tail -f /var/log/auth.log

Open a new SSH session and try to login with the other user. What is the error shown in the first screen (the one with the tail command)


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
Reply
0 Kudos
vMarkusK1985
Expert
Expert
Jump to solution

The account may be locked:

pam_tally2 --user root

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK
Reply
0 Kudos
waxcab
Contributor
Contributor
Jump to solution

[root@srv-hyp-4:~] tail -f /var/log/auth.log

2019-12-01T05:06:27Z sshd[1141668]: /etc/ssh/sshd_config line 21: Unsupported option PrintLastLog

2019-12-01T05:06:27Z sshd[1141668]: Connection from 172.29.129.136 port 25097

2019-12-01T05:06:31Z sshd[1141670]: pam_access(sshd:auth): access denied for user `esximon' from `172.29.129.136'

2019-12-01T05:06:36Z sshd[1141670]: [module:pam_lsass]pam_sm_authenticate: failed [error code:40017]

2019-12-01T05:06:37Z sshd[1141668]: error: PAM: Permission denied for esximon from 172.29.129.136

2019-12-01T05:06:37Z sshd[1141672]: pam_tally2(sshd:auth): user esximon (1000) tally 143, deny 5

2019-12-01T05:06:37Z sshd[1141672]: pam_access(sshd:auth): access denied for user `esximon' from `172.29.129.136'

[root@srv-hyp-4:~] pam_tally2 --user esximon

Login           Failures Latest failure     From

esximon           145    12/01/19 05:08:03  172.29.129.136

Web ui: "Remote access for ESXi local user account 'esximon' has been locked for 900 seconds after 145 failed login attempts."

I didn't disable zabbix monitoring for host, but changed username that it uses to "esximontest" so there are logs:

Cannot login esximontest@172.29.129.250

But there are no similar logs for "esximon" that I created on the host so I don't know how could it reach 150 fail attempts to login.

Reply
0 Kudos
vMarkusK1985
Expert
Expert
Jump to solution

Please try to unlock your account and try again:

pam_tally2 --user esximon --reset

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK
KabirAli82
Expert
Expert
Jump to solution

Is the user listed when doing;

cat /etc/security/access.conf


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
waxcab
Contributor
Contributor
Jump to solution

pam_tally2 --user esximon --reset won't help, still can't login

cat /etc/security/access.conf

+:dcui:ALL

+:root:ALL

+:vpxuser:ALL

+:vslauser:ALL

-:esximon:ALL

-:ALL:ALL

I guess the clue is in the minus?

Reply
0 Kudos
waxcab
Contributor
Contributor
Jump to solution

So I just edited cat /etc/security/access.conf to

+:dcui:ALL

+:root:ALL

+:vpxuser:ALL

+:vslauser:ALL

+:esximon:ALL

-:ALL:ALL

and now esximon is able to login. I think the problem is solved but I still have some questions about the access.conf and its rules.

Reply
0 Kudos
KabirAli82
Expert
Expert
Jump to solution

Good to read you fixed it, here some reading on how access.conf works;

https://linux.die.net/man/5/access.conf


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
vMarkusK1985
Expert
Expert
Jump to solution

Is this change persistent on ESXi?

https://mycloudrevolution.com | https://twitter.com/vMarkus_K | https://github.com/vMarkusK
Reply
0 Kudos
KabirAli82
Expert
Expert
Jump to solution

I believe so. As long as the ESXi host is not AD joined there should be no reason for the file to change.


Was I helpful? Give a kudo for appreciation!
Braindumping @ http://kablog.nl/
Tweeting @ https://twitter.com/_Kabir_Ali_
Reply
0 Kudos
Paulo974
Contributor
Contributor
Jump to solution

Hi, 

I had the same problem as initially describe here. I also changed /etc/security/access.conf but there is this line present at the very top:

# This file is autogenerated and must not be edited.

Therefore, my changes are always wiped out. How can I make this persistent? Which service/process is changing this file?

Thanks.

Reply
0 Kudos