Hi
Today one user complains that he can not login with domain credentials in Esxi 5.5 Host.
i have try to connect with my domain\username and password to esxi 5.5 host (we dont have vcenter) but failed with this message:cannot complete the login due an incorrect username or password. I know my password is correct because when i choose the option use Windows Session credentials i can connect with success. I dont know how long we have this problem because i use local user to connect to Esxi Host.
In the hostd.log i have this:
2015-04-07T11:54:21.673Z [35940B70 verbose 'Hostsvc.ResourcePool ha-root-pool'] Root pool capacity changed from 40658MHz/156256 MB to 40658MHz/156255MB
2015-04-07T11:54:34.949Z [34F40B70 verbose 'Solo.HttpSvc.HTTPService'] HTTP Response: Auto-completing at 425/425 bytes
2015-04-07T11:54:34.949Z [34F40B70 verbose 'HTTP server'] Sent response for HEAD /client/clients.xml (from /usr/lib/vmware/host d/docroot/)
2015-04-07T11:54:35.856Z [35940B70 verbose 'Cimsvc'] Ticket issued for CIMOM version 1.0, user root
2015-04-07T11:54:37.089Z [36D40B70 verbose 'Default' opID=C3C88A36-00000001] AdapterServer: target='vim.ServiceInstance:Service Instance', method='retrieveContent'
2015-04-07T11:54:37.161Z [36D40B70 verbose 'Default' opID=C3C88A36-00000002] AdapterServer: target='vim.ServiceInstance:Service Instance', method='retrieveInternalContent'
2015-04-07T11:54:37.460Z [36D40B70 verbose 'Default' opID=C3C88A36-00000003] AdapterServer: target='vim.SessionManager:ha-sessi onmgr', method='login'
pam_per_user: create_subrequest_handle(): doing map lookup for user "domain\username"
pam_per_user: create_subrequest_handle(): creating new subrequest (user="domain\username", service="system-auth-generic")
pam_per_user: create_subrequest_handle(): doing map lookup for user "domain\username"
[module:pam_lsass]pam_sm_acct_mgmt failed [login:<null>][error code:40024]
Rejected password for user domain\username from ip_address
2015-04-07T11:54:37.494Z [36D40B70 info 'Vimsvc.ha-eventmgr' opID=C3C88A36-00000003] Event 7536 : Cannot login domain\username@ ip_address
2015-04-07T11:54:39.136Z [FFFF6920 info 'Snmpsvc'] UpdateStats: report cimom converter stats started
2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] DumpStats: cimom stats file /tmp/.cvtcimsnmp.xml generated, size 301 bytes.
2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] PublishReport: file /tmp/.cvtcimsnmp.xml published as /tmp/cvtcimsnmp.xml
2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] DumpStats: cimom stats file published
2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] NotifyAgent: write(106, /var/run/snmp.ctl, N) 1 bytes to snmpd
2015-04-07T11:54:39.137Z [FFFF6920 info 'Snmpsvc'] UpdateStats: report cimom converter stats completed
2015-04-07T11:54:40.167Z [FFFF6920 verbose 'Hostsvc.DvsManager'] PersistAllDvsInfo called
2015-04-07T11:54:41.497Z [36D40B70 info 'Solo.Vmomi'] Activation [N5Vmomi10ActivationE:0x1f51ebb0] : Invoke done [login] on [vi m.SessionManager:ha-sessionmgr]
2015-04-07T11:54:41.497Z [36D40B70 verbose 'Solo.Vmomi'] Arg userName:
--> "domain\username"
2015-04-07T11:54:41.497Z [36D40B70 verbose 'Solo.Vmomi'] Arg password:
--> (not shown)
-->
2015-04-07T11:54:41.497Z [36D40B70 verbose 'Solo.Vmomi'] Arg locale:
--> "en_US"
2015-04-07T11:54:41.497Z [36D40B70 info 'Solo.Vmomi'] Throw vim.fault.InvalidLogin
2015-04-07T11:54:41.497Z [36D40B70 info 'Solo.Vmomi'] Result:
--> (vim.fault.InvalidLogin) {
--> dynamicType = <unset>,
--> faultCause = (vmodl.MethodFault) null,
--> msg = "",
--> }
Regards.
Ricardo Marques
If you go to configuration - Authentication Services, the host is still connected to the domain? Have you verified the computer account still exists in AD?
Hi
The computer account exist and the host still connected to the domain. Because if i choose connect with my windows credentials i can connect, the problem is: we have 2 accounts by user one to windows desktop and another to connect to esxi hosts.
I dont know if the problem was this patch KB3002657. I installed in last week of march but i did not test if i can connect to ESXi with domain credentials.
Regards.
Ricardo Marques
So you can connect with your domain credentials but the user cannot? Did you verify that the user has rights?
If you're connecting with domain authentication, you need to pass the credentials in the DOMAIN\username or username@domain.com format.
HI
After run services.sh restart now i can login with both accounts.
Regards.
Ricardo Marques
Heh, it's funny what restarting the management agents will fix.
Glad you got it working!