I have a single host that is managed by vCenter 6.5 and there in vCenter read-only AD user defined in global permission. The other 6.5 ESXis have local user and I'm able to connect to them.
The problem is that I cannot connect with ssh or web ui "Cannot complete login due to an incorrect user name or password."; "A user attempted to log in with an unknown or invalid username".
I've tried re-adding user in vCenter, creating local one on host via web ui and powercli, still no luck.
I have to notice that vCenter defined user's password doesn't meet ESXi 6.5 complexity, I also tried setting "Security.PasswordQualityControl" to "retry=3 min=disabled,disabled,disabled,disabled,disabled" (it was default) and got "a general system error occurred: Sorry, you've mistyped the password that was generated for you." while trying to create local user on host.
So how do I create a read-only user for monitoring?
Is the user listed when doing;
Are you sure you created the user correctly?
Log on to an ESXi host -> Manage -> Security & users -> Users -> Add user -> complete "Add a user"
Host -> Actions -> Permissions -> Add user -> enter newly created user name -> select read-only from the right drop down menu -> optional: propagate to all children
Which user have you used to add the Host to vCenter? Does this Account work via SSH and Host Client?
Try the following procedure:
Security.PasswordQualityControl is already set to retry=3 min=disabled,disabled,disabled,7,7
Lockdown mode disabled on host
I can see my user in host's permission as read-only
I set a new password for my user, but still can't login nor with ssh or web ui
Open a SSH session with root and fire up this command;
tail -f /var/log/auth.log
Open a new SSH session and try to login with the other user. What is the error shown in the first screen (the one with the tail command)
[root@srv-hyp-4:~] tail -f /var/log/auth.log
2019-12-01T05:06:27Z sshd: /etc/ssh/sshd_config line 21: Unsupported option PrintLastLog
2019-12-01T05:06:27Z sshd: Connection from 172.29.129.136 port 25097
2019-12-01T05:06:31Z sshd: pam_access(sshd:auth): access denied for user `esximon' from `172.29.129.136'
2019-12-01T05:06:36Z sshd: [module:pam_lsass]pam_sm_authenticate: failed [error code:40017]
2019-12-01T05:06:37Z sshd: error: PAM: Permission denied for esximon from 172.29.129.136
2019-12-01T05:06:37Z sshd: pam_tally2(sshd:auth): user esximon (1000) tally 143, deny 5
2019-12-01T05:06:37Z sshd: pam_access(sshd:auth): access denied for user `esximon' from `172.29.129.136'
[root@srv-hyp-4:~] pam_tally2 --user esximon
Login Failures Latest failure From
esximon 145 12/01/19 05:08:03 172.29.129.136
Web ui: "Remote access for ESXi local user account 'esximon' has been locked for 900 seconds after 145 failed login attempts."
I didn't disable zabbix monitoring for host, but changed username that it uses to "esximontest" so there are logs:
But there are no similar logs for "esximon" that I created on the host so I don't know how could it reach 150 fail attempts to login.
Please try to unlock your account and try again:
pam_tally2 --user esximon --reset
Is the user listed when doing;
pam_tally2 --user esximon --reset won't help, still can't login
I guess the clue is in the minus?
So I just edited cat /etc/security/access.conf to
and now esximon is able to login. I think the problem is solved but I still have some questions about the access.conf and its rules.
Good to read you fixed it, here some reading on how access.conf works;
I believe so. As long as the ESXi host is not AD joined there should be no reason for the file to change.