VMware Cloud Community
chouse
Enthusiast
Enthusiast
‎11-12-2012 11:17 AM

vCenter server appliance loses AD permissions after reboot

vCenter Server Appliance 5.0 (based on SLES 11) joined to AD domain. I have added the domain's Domain Admins group at the vCenter object level in Permissions tab (Propagate: yes, shows up as DOMAIN\domain^admins) and am able to log in with the vSphere client to the vCenter Server Appliance using my Windows session credentials.

However, if the appliance VM reboots, the DOMAIN\domain^admins entry is missing and I can only log in as root. If I add the group back, then I can log in using Windows session credentials like any other vCenter server.

On the vCenter Server Appliance management webpage (https://hostname:5480), Authentication tab, Status sub-tab, AD Status is Enabled with the correct AD Domain. "Active Directory" sub-tab has the check box for "Active Directory Enabled" checked, even after reboot.

The appliance does not lose its domain membership or AD settings, just the permission within vCenter does not persist across a reboot. I have rebooted the appliance several times and noticed this each time (guest OS reboot, not hard VM reset).

Anybody else notice this? Why is this happening?

Tags (2)
0 Kudos
3 Replies
spravtek
Expert
Expert
‎11-12-2012 11:44 AM

Haven't noticed this ... Will keep an eye on it though...

Anything in the logs?

0 Kudos
chouse
Enthusiast
Enthusiast
‎11-12-2012 12:28 PM

Actually, yes:

2012-11-12T14:05:39.643-05:00 [7FFFF3ADD700 warning 'UserDirectory'] Group lookup failed for 'DOMAIN\domain^admins'
2012-11-12T14:05:39.686-05:00 [7FFFF3ADD700 error 'Default'] Removing invalid permission 201: user DOMAIN\domain^admins not found
2012-11-12T14:05:39.686-05:00 [7FFFF3ADD700 warning 'Default'] Removing permission for entity "group-d1", group "DOMAIN\domain^admins", role -1.  Reason: User or group not found

So after it boots up and starts vCenter service, it looks at its permissions and removes any invalid ones. And these are being flagged as invalid. I wonder why? They are valid to add after it has booted etc.

0 Kudos
spravtek
Expert
Expert
‎11-12-2012 12:35 PM

Interesting, this KB talks about the opposite, if I read it correctly that is, it's getting late: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=102556...

0 Kudos