Esx 5.1 Domain User Lookup

argaar · ‎05-29-2018

Hi all, I've a strange behaviour in one of our vmware hypervisor.
We run a centralised ("master") Domain (Active Directory, windows 2003 domain) let call it "domain.tld" and several subdomain (children of, let "child").
Esx is joined with the child domain controller and it works ok (you can, for example, login with AD credential such as "user1@child.domain.tld"), the strange behaviour occurs during the login processe made by an user that we set in some script, useful for monitoring all esx in place.
In fact, if I lookup the esx log I can see that, in every login event, the username is written in the form "DOMAIN\user1", when i perform a login attemp with that specific username (used by Nagios), vmware tries to lookup the user in the CHILD domain, even i f the user belongs to the parent one. Below is the extraction from the event log.

NOTE that "user.name@domain.tld" is an account on the parent AD Domain, but for some reasons vmware tries to lookup the upn/samAccountName in the CHILD domain, and of course it'll fail 'cause that user does not exist there

2018-05-25T10:18:15.606Z [3F0C2B70 verbose 'SoapAdapter'] Unrecognized version URI "urn:vim25/test"; using default handler for "urn:vim25/5.5"

2018-05-25T10:18:15.643Z [FFC4EB70 verbose 'SoapAdapter'] Unrecognized version URI "urn:vim25/test"; using default handler for "urn:vim25/5.5"

pam_per_user: create_subrequest_handle(): doing map lookup for user "user.name@domain.tld"

pam_per_user: create_subrequest_handle(): creating new subrequest (user="user.name@domain.tld", service="system-auth-generic")

pam_unix(system-auth-generic:auth): check pass; user unknown

pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

pam_per_user: create_subrequest_handle(): doing map lookup for user "CHILD\user.name@domain.tld"

pam_per_user: create_subrequest_handle(): creating new subrequest (user="CHILD\user.name@domain.tld", service="system-auth-generic")

pam_unix(system-auth-generic:auth): check pass; user unknown

pam_unix(system-auth-generic:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=

Rejected password for user user.name@domain.tld from 10.11.12.13

2018-05-25T10:18:20.007Z [FFC4EB70 info 'Vimsvc.ha-eventmgr' opID=hostd-9970] Event 1068 : Cannot login user.name@domain.tld@10.11.12.13

2018-05-25T10:18:23.009Z [3F7A1B70 info 'Solo.Vmomi'] Activation [N5Vmomi10ActivationE:0x3f9043c0] : Invoke done [login] on [vim.SessionManager:ha-sessionmgr]

2018-05-25T10:18:23.009Z [3F7A1B70 verbose 'Solo.Vmomi'] Arg userName:

--> "user.name@domain.tld"

2018-05-25T10:18:23.009Z [3F7A1B70 verbose 'Solo.Vmomi'] Arg password:

--> (not shown)

-->

2018-05-25T10:18:23.009Z [3F7A1B70 verbose 'Solo.Vmomi'] Arg locale:

--> (null)

2018-05-25T10:18:23.009Z [3F7A1B70 info 'Solo.Vmomi'] Throw vim.fault.InvalidLogin

2018-05-25T10:18:23.009Z [3F7A1B70 info 'Solo.Vmomi'] Result:

--> (vim.fault.InvalidLogin) {

--> dynamicType = <unset>,

--> faultCause = (vmodl.MethodFault) null,

--> msg = "",

--> }

Devi94 · ‎05-29-2018

When you try to add user permissions what is the domain you are seeing ? can you share screenshot of user permissions for this ESXi ?

argaar · ‎05-29-2018

It's a "Read Only" user and when I add it to vmware it can correctly lookup the user in the parent AD Domain, either if I input the username and click on "Check" or I select my parent Domain in the domains dropdown, and scrool the entire users list.

Perhaps if I try to login using the form "Domain\user.name" everything works ok, the problem happens only if I try to use the form "user.name@domain.tld" that works on all other esx that I managed but this.

Devi94 · ‎05-29-2018

i am suspecting some dns issues. can you check your dns settings ?

argaar · ‎05-29-2018

Unfortunately dns servers are ok
Also, as already said, the problem is user specific, don't know if ESX caches something about users that i could flush

All

Esx 5.1 Domain User Lookup