VMware Cloud Community
ChainBridge
Contributor
Contributor

VCVA locked accounts

I created a couple of local users on my vCenter Virtual Appliance and assigned them to a group that has permission to log into the vSphere client.  When I finished configuring everything, I tested them and they worked fine.  Now, when I try to use them, the login fails.  I SSHed into the Linux appliance and tried to unlock them, but the accounts aren't locked.  If I use the command:

passwd -S <username>

It gives me:

<username> PS 10/28/2011 1 90 7 -1

Can anyone tell me how to fix this account so that it has access to vCenter again?

Thank you.

Reply
0 Kudos
5 Replies
ChainBridge
Contributor
Contributor

I've done some more troubleshooting, but nothing yet.  I tried using the "passwd -u" and "usermod -U" commands, but they seem to do the same thing.  The account doesn't appear to be locked at the password level.  Both commands result in "Cannot unlock the password for <username>!".  When I check the /etc/shadow file, there is no exclamation mark preceding the entry for that account.  If I lock the account with the "passwd -l" command, then it does show that it is locked and will allow me to unlock it.  This leads me to believe the lock is not on the password, but on some other level; maybe on the account itself.

As a test I created a new user with the exact same method. I assigned it to the same groups.  Everything works perfectly.

Any assistance would be greatly appreciated.

Reply
0 Kudos
satya1
Hot Shot
Hot Shot

ChainBridge wrote:

I've done some more troubleshooting, but nothing yet.  I tried using the "passwd -u" and "usermod -U" commands, but they seem to do the same thing.  The account doesn't appear to be locked at the password level.  Both commands result in "Cannot unlock the password for <username>!".  When I check the /etc/shadow file, there is no exclamation mark preceding the entry for that account.  If I lock the account with the "passwd -l" command, then it does show that it is locked and will allow me to unlock it.  This leads me to believe the lock is not on the password, but on some other level; maybe on the account itself.

As a test I created a new user with the exact same method. I assigned it to the same groups.  Everything works perfectly.

Any assistance would be greatly appreciated.

hi its not behaving properly while you are using -i option its poping nothing is locked some times pops locked .

can you create new user and dont add that user to any group then check ,if able to do then may be some problem in grouping .

Yours,

Satya

Reply
0 Kudos
ChainBridge
Contributor
Contributor

I had already created another account and there were no issues with it.  So, I just deleted the existing accounts that were giving me problems and then recreated them with the same credentials.  So far, so good.  I would, however like to know a way to simply unlock the accounts in case this happens again.  I'm sure it's a simple command, but I looked all over and couldn't find anything that worked.

Reply
0 Kudos
ChainBridge
Contributor
Contributor

This problem has reared its ugly head again, but this time it's worse.  I have my VCVA  set up to use Active Directory for authentication.  Somehow my AD account is locked up in VCVA.  It is not locked in AD; I checked the account in Users and Computers and I can use it to log onto other machines on the domain.  However, whenever I try to log into vCenter throught the vSphere client it tells me "cannot complete login due to incorrect username or password".  I can log into vSphere using another domain admin account and a local account that I set up as a backdoor, but the domain admin account that I usually use comes back with the error.  If I try to use PuTTY to SSH directly into the VCVA using my domain admin account, I get an error in a pop-up box that says:

Server sent disconnect message type 2 (protocol error): "Too many authentication failures for username@domain"

In the PuTTY terminal window it says:

login as: username@domain
VMware vCenter Server Appliance 5.0.0.3324 Build 472350
Access denied
Using keyboard-interactive authentication.
Accounted locked due to 2388 failed login

Please see the attached screenshot:

vcva_auth_error.png
I'm not sure what to do.  When this happened with my local accounts, I just deleted them and recreated them and everything worked again.  I can't do that this time because the account does not reside on the local machine.  If I run:

passwd -S -a

the domain admin accounts are obviously not listed.  I'm not even sure how these Active Directory accounts can be locked if they don't reside on the VCVA.  Could this be a problem with SSH?  I would greatly appreciate any assistance.

Reply
0 Kudos
ChainBridge
Contributor
Contributor

I placed a case with VMware support and they helped me sort this out.  From a command line (directly in the machine's console interface or through SSH) enter the following command.

For a local account:

/sbin/pam_tally --user <user> --reset

For an Active Directory account:

/sbin/pam_tally --user <user@domain> --reset

I hope this helps someone else out.

Reply
0 Kudos