erichzy
Contributor
Contributor

AD Auhtentication on ESXi Host not working for all Accounts in same specified Admin AD Group

Hello Folks

I have a problem with our AD Authentication on our ESXi Hosts.

I set up our ESXi Hosts (6U2) and vCenter for AD Authentication.

Adding the Hosts and the vCenter Server to our domain went well and I changed the standard AD Group from ESX Admins to our specified AD Group.

I also pointed to our preferred DC (we have a huge/global AD Infrastructure) because I was not able to login at all in the beginning.

After pointing to our preferred DC I was able to login.

I have several Accounts in this Group and right now I face the problem, that some accounts can log in and some can't. (Although I am sure they at least were able to)

I checked the likewise.log and found this:

INFO:netlogon: Looking for a DC in domain 'mydomain1.com', site '<null>' with flags 0
INFO:lsass: Clearing ldap DC connection list for domain ' mydomain1.com ' due to a network error.
ERROR:lsass: Failed to group memberships of SID=MySID. [error code:40286]
ERROR:lsass: Failed to find memberships for user ' mydomain1.com\MyUser' (error = 40286)
INFO:netlogon: Looking for a DC in domain ' mydomain1.com ', site '<null>' with flags 0
INFO:netlogon: Looking for a DC in domain ' mydomain1.com ', site '<null>' with flags 0
INFO:lsass: Clearing ldap DC connection list for domain ' mydomain1.com ' due to a network error.
INFO:netlogon: Looking for a DC in domain ' mydomain1.com ', site '<null>' with flags 0
ERROR:lsass: Error code 40286 occurred during attempt 0 of a ldap search. Retrying.
INFO:netlogon: Looking for a DC in domain ' mydomain1.com ', site '<null>' with flags 0
INFO:lsass: Clearing ldap DC connection list for domain ' mydomain1.com ' due to a network error.
ERROR:lsass: Error code 40286 occurred during attempt 1 of a ldap search. Retrying.
INFO:netlogon: Looking for a DC in domain ' mydomain1.com ', site '<null>' with flags 0
INFO:lsass: Clearing ldap DC connection list for domain ' mydomain1.com ' due to a network error.
ERROR:lsass: Error code 40286 occurred during attempt 2 of a ldap search. Retrying.
INFO:netlogon: Looking for a DC in domain ' mydomain1.com ', site '<null>' with flags 0
INFO:lsass: Clearing ldap DC connection list for domain ' mydomain1.com ' due to a network error.
ERROR:lsass: Failed to group memberships of SID=mYsid. [error code:40286]
ERROR:lsass: Failed to authenticate user (name = 'MyUser@mydomain1.com ') -> error = 40286, symbol = LW_ERROR_LDAP_SERVER_DOWN, client pid = 8098917

For me, this looks like that the LDAP Authentication is not working, but there are other AD Accounts in the same AD-Grp that are able to login.

I rejoined the ESXi-Host to the Domain and found a possible solution that said I should restart lsassd...

I tried to but his is my result:

[root@esxhost:~] ./etc/init.d/lsassd restart
-sh: ./etc/init.d/lsassd: not found
[root@wesxhost:~] ./etc/init.d/lwoid status
-sh: ./etc/init.d/lwoid: not found

All workarounds for my problem lead me to this services but my system tells me that they are not existing. 😮

I am deeply desperate about this issues and wonder why some accounts work fine and other won't.

This.is.so.confusing...  

I have the feeling that this is really messed up and can't find similar problems in the VMware community.

Please help me understand the issue and, perhaps, fixing it or point me to a new direction...

Thank you so much in advance...

Kind Regards


Sebastian

The Deperate One...

0 Kudos
0 Replies