This is written about 8 times in a row, and repeats every 5-6 minutes or so it seems. Anybody know what can cause this? Nothing unusual in the VC log files......
Do yo have Insight Manager Agents installed and running in the service console?
Nope......
Interesting, I logged into one of my hosts and checked the /var/log/messages file and its full of invalid root login attempts. There is a cimservera process running it seems......but from your KB article, it does not exhibit the issue stated in the article:
vmware-authd(pam_unix)[1209]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Jan 12 08:52:35 sfwesx01 vmware-hostd[1209]: Rejected password for user root from 127.0.0.1
Jan 12 08:57:32 sfwesx01 vmware-authd(pam_unix)[1209]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Jan 12 08:57:35 sfwesx01 vmware-hostd[1209]: Rejected password for user root from 127.0.0.1
Jan 12 09:02:32 sfwesx01 vmware-authd(pam_unix)[1209]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Jan 12 09:02:34 sfwesx01 vmware-hostd[1209]: Rejected password for user root from 127.0.0.1
Jan 12 09:07:32 sfwesx01 vmware-authd(pam_unix)[1209]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Jan 12 09:07:35 sfwesx01 vmware-hostd[1209]: Rejected password for user root from 127.0.0.1
Jan 12 09:12:32 sfwesx01 vmware-authd(pam_unix)[1209]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Jan 12 09:12:35 sfwesx01 vmware-hostd[1209]: Rejected password for user root from 127.0.0.1
have you changed the root password recently? Do you have anything that connects to your COS with root credentials (ie vCharter)?
Root password has definately not been changed. Just migrated all the hosts from VC 2.1 server to a new VC 2.5 server. There is nothing I knwo of that connects as root....
Troy,
Checked another and it is also displaying the same thing:
vmware-authd(pam_unix)[16817]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Jan 12 08:12:34 sfwesx02 vmware-hostd[16817]: Rejected password for user root from 127.0.0.1
Jan 12 08:17:32 sfwesx02 vmware-authd(pam_unix)[16817]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=root
Jan 12 08:17:35 sfwesx02 vmware-hostd[16817]: Rejected password for user root from 127.0.0.1
Jan 12 08:17:59 sfwesx02 ntpd[836]: can't open /var/lib/ntp.drift.TEMP: Permission denied
This happens when upgrading from VC versions, at least it's happened to me every single time. So here is how you fix it.
disconnect from VC (and all the other hosts at the same time with trouble)
Login to each ESX host with VIC direct.
Remove vmxusers and vpxuser
login with SSH/Putty
go to /etc/vmware/ssl remove ALL the files in there (only 2 certificates)
run: service mgmt-vmware restart
wait about 60 seconds, and try to reconnect, you will get prompted for credentials but now you should be able to connect again.
also, for your drift file. Check /etc/ntp.conf
should look
driftfile /var/lib/ntp/drift
service ntpd restart
I don't have a problem logging into VC or any of the hosts, I can get in just fine. What I want to know is #1 what is this #2 what is the impact and #3 how is it fixed......
Well, one of the hosts is right, another i checked had
restrict 127.0.0.1
restrict default kod nomodify notrap
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
driftfile /var/lib/ntp/drift
I recently had the same exact issue, I was able to resolve mine. vReplicator was the culprit, I was testing this about a month or so back the password policy changed and it was using my old password to try and log in. Once I stopped vReplicator all those messages went away. Hope this helps you...
Thank you,
Express
What is vReplicator?!
vRepilcator is part of Vizioncore, for vm backups and of the sort... www.vizioncore.com
Thank you,
Express
Oh, right on. Unfortunately I am not using that
The only thing I would suggest is to check on any applications you may have recently installed and either its not working or you are not using anymore, maybe a trail version of something.... good luck once you do find it lets us know so we can all get a little more educated....
Thank you,
Express
You need to determine the IP address that the connection attempts are coming from. Unfortunately the "vmware-hostd1209: Rejected password for user root from 127.0.0.1" is not useful because hostd uses a reverse proxy therefore all hostd connection attempts logged in messages will show 127.0.0.1 regardless of the IP address that its coming from.
To determine the IP address you can either run a packet capture or enable extra hostd logging.
1. To capture all traffic you can use the following command: tcpdump -i vswif0 -s0 -w /tmp/capture.pcap
This will write the output to /tmp/capture.pcap which you can then analysis using some tool such as wireshark.
2. To enable hostd trivia logging (WARNING see following KB before stopping hostd - http://kb.vmware.com/kb/1003312/) :
2a. Stop hostd: service mgmt-vmware stop
2b. Edit the file "/etc/vmware/hostd/config.xml" and change the line containing
2c. Start hostd: service mgmt-vmware start
2d. Note down the time of the next login failure in /var/log/messages then check /var/log/vmware/hostd.log to see where the request came from. Attach the hostd log if your not sure.
Message was edited by: appk