Esxi 5.5 - authentication problem

ricardomarques · ‎04-07-2015

Hi

Today one user complains that he can not login with domain credentials in Esxi 5.5 Host.

i have try to connect with my domain\username and password to esxi 5.5 host (we dont have vcenter) but failed with this message:cannot complete the login due an incorrect username or password. I know my password is correct because when i choose the option use Windows Session credentials i can connect with success. I dont know how long we have this problem because i use local user to connect to Esxi Host.

In the hostd.log i have this:

2015-04-07T11:54:21.673Z [35940B70 verbose 'Hostsvc.ResourcePool ha-root-pool'] Root pool capacity changed from 40658MHz/156256 MB to 40658MHz/156255MB

2015-04-07T11:54:34.949Z [34F40B70 verbose 'Solo.HttpSvc.HTTPService'] HTTP Response: Auto-completing at 425/425 bytes

2015-04-07T11:54:34.949Z [34F40B70 verbose 'HTTP server'] Sent response for HEAD /client/clients.xml (from /usr/lib/vmware/host d/docroot/)

2015-04-07T11:54:35.856Z [35940B70 verbose 'Cimsvc'] Ticket issued for CIMOM version 1.0, user root

2015-04-07T11:54:37.089Z [36D40B70 verbose 'Default' opID=C3C88A36-00000001] AdapterServer: target='vim.ServiceInstance:Service Instance', method='retrieveContent'

2015-04-07T11:54:37.161Z [36D40B70 verbose 'Default' opID=C3C88A36-00000002] AdapterServer: target='vim.ServiceInstance:Service Instance', method='retrieveInternalContent'

2015-04-07T11:54:37.460Z [36D40B70 verbose 'Default' opID=C3C88A36-00000003] AdapterServer: target='vim.SessionManager:ha-sessi onmgr', method='login'

pam_per_user: create_subrequest_handle(): doing map lookup for user "domain\username"

pam_per_user: create_subrequest_handle(): creating new subrequest (user="domain\username", service="system-auth-generic")

pam_per_user: create_subrequest_handle(): doing map lookup for user "domain\username"

[module:pam_lsass]pam_sm_acct_mgmt failed [login:<null>][error code:40024]

Rejected password for user domain\username from ip_address

2015-04-07T11:54:37.494Z [36D40B70 info 'Vimsvc.ha-eventmgr' opID=C3C88A36-00000003] Event 7536 : Cannot login domain\username@ ip_address

2015-04-07T11:54:39.136Z [FFFF6920 info 'Snmpsvc'] UpdateStats: report cimom converter stats started

2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] DumpStats: cimom stats file /tmp/.cvtcimsnmp.xml generated, size 301 bytes.

2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] PublishReport: file /tmp/.cvtcimsnmp.xml published as /tmp/cvtcimsnmp.xml

2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] DumpStats: cimom stats file published

2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] NotifyAgent: write(106, /var/run/snmp.ctl, N) 1 bytes to snmpd

2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] UpdateStats: report cimom converter stats completed

2015-04-07T11:54:40.167Z [FFFF6920 verbose 'Hostsvc.DvsManager'] PersistAllDvsInfo called

2015-04-07T11:54:41.497Z [36D40B70 info 'Solo.Vmomi'] Activation [N5Vmomi10ActivationE:0x1f51ebb0] : Invoke done [login] on [vi m.SessionManager:ha-sessionmgr]

2015-04-07T11:54:41.497Z [36D40B70 verbose 'Solo.Vmomi'] Arg userName:

--> "domain\username"

2015-04-07T11:54:41.497Z [36D40B70 verbose 'Solo.Vmomi'] Arg password:

--> (not shown)

-->

2015-04-07T11:54:41.497Z [36D40B70 verbose 'Solo.Vmomi'] Arg locale:

--> "en_US"

2015-04-07T11:54:41.497Z [36D40B70 info 'Solo.Vmomi'] Throw vim.fault.InvalidLogin

2015-04-07T11:54:41.497Z [36D40B70 info 'Solo.Vmomi'] Result:

--> (vim.fault.InvalidLogin) {

--> dynamicType = <unset>,

--> faultCause = (vmodl.MethodFault) null,

--> msg = "",

--> }

Regards.

Ricardo Marques

BenLiebowitz · ‎04-07-2015

If you go to configuration - Authentication Services, the host is still connected to the domain? Have you verified the computer account still exists in AD?

Ben Liebowitz, VCP vExpert 2015, 2016, & 2017 If you found my post helpful, please mark it as helpful or answered to award points.

ricardomarques · ‎04-07-2015

Hi

The computer account exist and the host still connected to the domain. Because if i choose connect with my windows credentials i can connect, the problem is: we have 2 accounts by user one to windows desktop and another to connect to esxi hosts.

I dont know if the problem was this patch KB3002657. I installed in last week of march but i did not test if i can connect to ESXi with domain credentials.

Regards.

Ricardo Marques

BenLiebowitz · ‎04-07-2015

So you can connect with your domain credentials but the user cannot? Did you verify that the user has rights?

Ben Liebowitz, VCP vExpert 2015, 2016, & 2017 If you found my post helpful, please mark it as helpful or answered to award points.

ricardomarques · ‎04-07-2015

Hi

If i choose the option to connect with windows session credential i can connect but if i choose to manually enter the username and password fail ( i have try with the same user that i'm login in my windows desktop).

Regards.

Ricardo Marques

BenLiebowitz · ‎04-07-2015

If you're connecting with domain authentication, you need to pass the credentials in the DOMAIN\username or username@domain.com format.

Ben Liebowitz, VCP vExpert 2015, 2016, & 2017 If you found my post helpful, please mark it as helpful or answered to award points.

ricardomarques · ‎04-07-2015

HI

After run services.sh restart now i can login with both accounts.

Regards.

Ricardo Marques

BenLiebowitz · ‎04-07-2015

Heh, it's funny what restarting the management agents will fix.

Glad you got it working!

Ben Liebowitz, VCP vExpert 2015, 2016, & 2017 If you found my post helpful, please mark it as helpful or answered to award points.