jfmorales
Contributor
Contributor

Copy-VMGuestFile Insufficient Permissions

Hello, I'm trying to use PowerCLI to copy a file to a Linux VM. The VM runs the Vyatta virtual networking appliance, which is built on Debian Linux. The Copy-VMGuestFile cmdlet returns the error "Authentication failure or insufficient permissions in guest operating system." When I try the equivalent command using vmrun, it gives the error "Insufficient permissions in host operating system."

It happens that on Vyatta appliances, the root user is somehow disabled so you can't log on as root. Instead, you log on as the user "vyatta". Thereafter, whenever you need to execute a command that requires root privileges, you must prefix it with "sudo".

Does the Copy-VMGuestFile cmdlet require root privileges for any reason? It seems like it shouldn't, because I'm providing it the vyatta account as the guest user, and the destination for the file copy is /home/vyatta. Seemingly the vyatta user should have sufficient privileges to copy a file to its own home directory.

My workstation is running Windows XP Professional SP3, PowerShell 2.0 Build -1 Revision -1, and VIX Version 1.10.2.15207.

The script is connecting to vCenter 4.0.0, and accessing a VM that runs on an ESXi 4.0.0 host.

The Vyatta virtual appliance is 6.0, built on Debian Linux.

A couple of warnings occur during script execution, prior to the final error. The first warning occurs after connect-viserver:

WARNING: There were one or more problems with the server certificate:
* The X509 chain could not be built up to the root certificate.
* The certificate's CN name does not match the passed value.

Since this is a warning rather than an error, my assumption was that the connect-viserver was successful, and there should be no downstream problems from the warning.

The second warning, after the Copy-VMGuestFile call, is

WARNING: The version of VMware VIX installed on your machine differs from the recommended one (1.10.0) and may cause VIX-related functionality (e.g. in-guest operations) to work improperly. We suggest you install VMware VIX 1.10.0.

The oddity here is that my workstation is running 1.10.2.15207, which is just slightly newer than the level suggested by the warning message. This also seems like a warning that would be safe to ignore.

The Copy-VMGuestFile call is

Copy-VMGuestFile -Source ($PATH_XMLFILES + "\Cloud.xml") -Destination "/home/vyatta/Cloud.xml" -VM $vmobj -LocalToGuest -GuestUser $vyattaUser -GuestPassword $vyattaPW

The full error is

Copy-VMGuestFile : 2/8/2011 11:07:48 AM    Copy-VMGuestFile        While performing operation 'Login in guest OS on VM 'JFM2 VLAN NetAppliance'' the following error occured: 'Authentication failure or insufficient permissions in guest operating system'   
At C:\Program Files\Unisys\SPC-Automation\bin\Config-TenantApp.ps1:138 char:17
+ Copy-VMGuestFile <<<<  -Source ($PATH_XMLFILES + "\Cloud.xml") -Destination "/home/vyatta/Cloud.xml" -VM $vmobj -LocalToGuest -GuestUser $vyattaUser -GuestPassword $vyattaPW
    + CategoryInfo          : OperationStopped: (:) [Copy-VMGuestFile], VimException
    + FullyQualifiedErrorId : Client20_VmGuestServiceImpl_VixWaitForJob_VixError,VMware.VimAutomation.ViCore.Cmdlets.Commands.CopyVMGuestFile

As an alternative, I tried entering a vmrun command of the following form:

vmrun -T vc -h https://myhost.com/sdk -u root -p rootPW -gu vyatta -gp vyattaPW CopyFileFromHostToGuest "[TPA-Targets-1] JFM2 VLAN NetAppliance/JFM2 VLAN NetAppliance.vmx" "C:\Documents and Settings\All Users\Application Data\SPC-Automation\XML\Cloud.xml" "/home/vyatta/Cloud.xml"

This generates the error:

Unable to connect to host.
Error: Insufficient permissions in host operating system

A different error occurs if I specify an incorrect guest password, so it appears that the problem is not an authentication failure, but definitely is a problem with insufficient permissions.

Thanks in advance for any suggestions. Joseph

0 Kudos
4 Replies
LucD
Leadership
Leadership

I assume you are running the latest PowerCLI version 4.1U1 ?

Do a Get-PowerCLIVersion to check.

The installation of PowerCLI normally installs the correct VIX on the client.

Can you try this perhaps on another client ?

That way you would eliminate all potential VIX version problems.

Are there any messages in the VIX logs on the client ?

You should find these in /tmp/vmware-<username>/vix-<pid>.log.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

jfmorales
Contributor
Contributor

Thanks, LucD. Get-PowerCLIVersion reports PowerCLI 4.1 U1 build 332441. This is on my Windows XP Professional SP3 system.

In case the VIX was a mismatched version, I uninstalled VIX and PowerCLI, rebooted, then reinstalled PowerCLI and allowed it to install VIX itself. This didn't help the problem I was seeing with my script.

When the script runs, the vmware-vixWrapper-username-number.log records a few failed attempts to locate the vix.dll. The final message might indicate that it finally found the dll in the last location that it checked, but note that the path is actually still incorrect because it contains two \\ characters after VMware VIX.

Feb 08 16:46:37.818: app-5232| Log for VixWrapper pid=2856 version=1 build=build-255297 option=Release

Feb 08 16:46:37.818: app-5232| The process is 32-bit.

Feb 08 16:46:37.818: app-5232| Host codepage=windows-1252 encoding=windows-1252

Feb 08 16:46:37.818: app-5232| config points to non-existent implementation library 'C:\Program Files\VMware\VMware VIX\\Workstation-6.5.4\32bit\vix.dll'

Feb 08 16:46:37.818: app-5232| config points to non-existent implementation library 'C:\Program Files\VMware\VMware VIX\\ws_server_esx-4\32bit\vix.dll'

Feb 08 16:46:37.818: app-5232| config points to non-existent implementation library 'C:\Program Files\VMware\VMware VIX\\ws_server_esx-4\32bit\vix.dll'

Feb 08 16:46:37.818: app-5232| config points to non-existent implementation library 'C:\Program Files\VMware\VMware VIX\\ws_server_esx-4\32bit\vix.dll'

Feb 08 16:46:37.818: app-5232| config points to non-existent implementation library 'C:\Program Files\VMware\VMware VIX\\ws_server_esx-4\32bit\vix.dll'

Feb 08 16:46:37.818: app-5232| passed in VIX_SERVICEPROVIDER_DEFAULT, computed hostType as 10

Feb 08 16:46:37.818: app-5232| Loading Vix implementation library C:\Program Files\VMware\VMware VIX\\VSphere-4.1\32bit\vix.dll

The vmare-vix-username-number.log seems to reflect the certificate warnings that I mentioned earlier:

Feb 08 16:46:40.991: app-5232| Log for Vix pid=2856 version=-1 build=build-255297 option=Release

Feb 08 16:46:40.991: app-5232| The process is 32-bit.

Feb 08 16:46:40.991: app-5232| Host codepage=windows-1252 encoding=windows-1252

Feb 08 16:46:40.991: app-5232| Foundry Init: setting up global state (0 threads)

Feb 08 16:46:41.023: app-5232| Vix_InitializeGlobalState: vixLogLevel = 0

Feb 08 16:46:41.023: app-5232| Vix_InitializeGlobalState: vixApiTraceLevel = 0

Feb 08 16:46:41.023: app-5232| Vix_InitializeGlobalState: vixDebugPanicOnVixAssert = 0

Feb 08 16:46:41.023: app-5232| Vix_InitializeGlobalState: vixLogRefcountOnFinalRelease = 0

Feb 08 16:46:41.023: app-5232| Vix_InitializeGlobalState: asyncOpWarningThreshold = 1000000

Feb 08 16:46:41.023: app-5232| Vix_InitializeGlobalState: enableSyncOpSelection = FALSE

Feb 08 16:46:41.023: app-5232| Vix_InitializeGlobalState: enableExternalThreadInterface = TRUE

Feb 08 16:46:41.023: app-5232| LOCALE windows-1252 -> NULL User=409 System=409

Feb 08 16:46:41.023: app-5232| VixHost_ConnectEx: version -1, hostType 1, hostName https://irv-tpa-vcntr.usmv-osd.na.uis.unisys.com/sdk, hostPort 902, options 128

Feb 08 16:46:41.023: app-5232| HOSTINFO 2190069323 @ 3579545Hz -> 0 @ 1000000Hz

Feb 08 16:46:41.023: app-5232| HOSTINFO ((x * 2399728063) >> 33) + -611828967

Feb 08 16:46:41.071: app-4816| WSAEventSelect() on closed socket, ignoring.

Feb 08 16:46:42.943: app-4816| Vix: [4816 vixVIMProxy.c:3412]: VixVIMVmRequestTicketImpl: requesting old-MKS ticket for VM '[TPA-Targets-1] JFM2 VLAN NetAppliance/JFM2 VLAN NetAppliance.vmx'

Feb 08 16:46:43.387: app-6008| SSLSystemVerifyDERCert: Subject mismatch: localhost.localdomain vs 192.59.234.204

Feb 08 16:46:43.387: app-6008| SSLVerifyCertAgainstSystemStore: The remote host certificate has these problems:

Feb 08 16:46:43.387: app-6008|

Feb 08 16:46:43.387: app-6008| * The host name used for the connection does not match the subject name on the host certificate.

Feb 08 16:46:43.387: app-6008|

Feb 08 16:46:43.387: app-6008| * The host certificate chain is not complete.

Feb 08 16:46:43.387: app-6008| SSLVerifyIsEnabled: failed to read registry value. Falling back to default behavior: verification off. LastError = 0

Feb 08 16:46:43.387: app-6008| SSLVerifyCertAgainstSystemStore: Certificate verification is disabled, so connection will proceed despite the error

Feb 08 16:46:43.657: app-6008| SSLSystemVerifyDERCert: Subject mismatch: localhost.localdomain vs 192.59.234.204

Feb 08 16:46:43.689: app-6008| SSLVerifyCertAgainstSystemStore: The remote host certificate has these problems:

Feb 08 16:46:43.689: app-6008|

Feb 08 16:46:43.689: app-6008| * The host name used for the connection does not match the subject name on the host certificate.

Feb 08 16:46:43.689: app-6008|

Feb 08 16:46:43.689: app-6008| * The host certificate chain is not complete.

Feb 08 16:46:43.689: app-6008| SSLVerifyIsEnabled: failed to read registry value. Falling back to default behavior: verification off. LastError = 0

Feb 08 16:46:43.689: app-6008| SSLVerifyCertAgainstSystemStore: Certificate verification is disabled, so connection will proceed despite the error

Feb 08 16:46:43.800: app-4816| Vix: [4816 foundryVMPowerOps.c:3769]: FoundryVMFinishGetNonceFromVMX: Failed to get nonce from VMX, err = 3001.

Feb 08 16:46:44.006: app-4816| VixVM_FinalRelease: Close VM socket.

I tried running my script from a different client, which is a Windows 2008 R2 system. I also uninstalled VIX and PowerCLI there, rebooted, and reinstalled PowerCLI, allowing it to install VIX when prompted. The script reports the same error, and the log files report the same messages that they did on the XP client.

Is it possible that PowerCLI is not installed correctly?  Is there some configuration file where I can enter the correct path to vix.dll?

Thanks, Joseph

0 Kudos
LucD
Leadership
Leadership

I don't think your PowerCLI is installed incorrectly.

The certificate warning can be ignored but perhaps someone from the Dev Team can give some feedback on the error 3001 you see.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

jfmorales
Contributor
Contributor

I've corrected one error in my command and am now receiving a different error message. I was mistakenly passing an account on the ESX host to the -u and -p parameters. After changing to an account on the vCenter Server, I no longer get the error "Insufficient permissions in host operating system." Instead, I'm getting the error "Invalid user name or password for the guest OS."

However, I've repeatedly verified that the guest usercode and guest password values for the -gu and -gp parameters are correct, by interactively logging in with these values in the Linux VM console.

The vmware-vix-username-number.log file still reports the error

Feb 09 11:42:07.803: app-4256| Vix: [4256 foundryVMPowerOps.c:3769]: FoundryVMFinishGetNonceFromVMX: Failed to get nonce from VMX, err = 3001.

This problem is occurring only for my Vyatta appliances, which are VMs built on Debian Linux.  Using the same vCenter and ESX host, I am able to use the vmrun command to successfully copy a file to a Red Hat VM.

My inference is that something in the security configuration of a Vyatta appliance interferes with VIX, but it's not clear what that could be. Is there anything in the Linux configuration that I could check?

Thanks, Joseph

0 Kudos