VMware Cloud Community
tsoftware
Contributor
Contributor
‎01-23-2019 12:19 AM
Jump to solution

Loss of permissions on every reboot for ESXi 6.7 Update 1

Every time the ESXi server is rebooted, it appears that it resets all of the permission sets to default.  This includes users, or roles, that are created through the web interface or using esxcli.

For instance, if I create a user named test and assign it the administrator role, it works until the machine is rebooted.  After reboot, a check of the permissions shows that root is once again the only user assigned to this role.  While the Administrator role is used as an example here, it also applies to user defined roles as well.

Any ideas?

Reply
0 Kudos
1 Solution

Accepted Solutions
tsoftware
Contributor
Contributor
‎01-23-2019 10:49 AM
Jump to solution

Answer from VMWare is that root demoting is no longer supported.

View solution in original post

Reply
0 Kudos
4 Replies
sjesse
Leadership
Leadership
‎01-23-2019 02:59 AM
Jump to solution

Is this a single server, or a server part of a cluster, and if so was it created using auto deploy?

Reply
0 Kudos
tsoftware
Contributor
Contributor
‎01-23-2019 07:16 AM
Jump to solution

This is a single server and it was created using a customized kickstart.

Reply
0 Kudos
tsoftware
Contributor
Contributor
‎01-23-2019 08:59 AM
Jump to solution

Ok, I can further refine the problem.  Create a new user and add it to the "Admin" group and the run the following snippet:

# Demote Root

l_rootTestPrivileges='VirtualMachine.Interact.PowerOn

VirtualMachine.Interact.PowerOff

VApp.PowerOn

VApp.PowerOff

VirtualMachine.Interact.Suspend

VApp.Suspend

Host.Config.AutoStart

'

vim-cmd vimsvc/auth/role_add RootTest $l_rootTestPrivileges

vim-cmd vimsvc/auth/entity_permission_add vim.Folder:ha-folder-root root false RootTest true

This will immediately log you out and if you created a script file to execute it, the script will be gone, which implies that there may be other rollbacks as well.  The new "Admin" account and restrictions will be in place and functional until you reboot.  After the reboot, the permissions have been reset, the script is gone and changing any permissions after this point will get rolled back on next reboot.

BTW, this worked perfectly fine in 6.0 update 3 and produced the desired configuration.

Reply
0 Kudos
tsoftware
Contributor
Contributor
‎01-23-2019 10:49 AM
Jump to solution

Answer from VMWare is that root demoting is no longer supported.

Reply
0 Kudos