VMware Cloud Community
Silverchenau
Enthusiast
Enthusiast

vMA 4.1 error Failed to add users.

hi, guys:

I have just installed a new vCenter 4.1 with 1 esxi 4.0u2 and 1 esxi 4.1.

I have downloaded vMA 4.1 and try to use AD auth to connect vCenter.

I have joined the vMA into domain and restarted vMA.

However, when I tried to add vCenter with --authpolicy adauth, it asked me to type in username for vCenter server.

I typed mydomain
myaccount

It gave me Error: Failed to add users

Can you tell me why?

Thanks alot






- Silver

My Vmware blog: http://geeksilverblog.com

- Silver My Vmware blog: http://geeksilverblog.com
40 Replies
Silverchenau
Enthusiast
Enthusiast

sorry, it seems I can't type slash slash in this form.

I follow vMA 4.1 docs and typed MYDOMAIN "slash""slash" myusername






- Silver

My Vmware blog: http://geeksilverblog.com

- Silver My Vmware blog: http://geeksilverblog.com
Reply
0 Kudos
lamw
Community Manager
Community Manager

If you look in /var/log/vmware/vma/vifpd.log you'll probably see an entry that says the following:

[2010-07-20 09:16:20.527 429C0940 info 'App'] command-> 1
[2010-07-20 09:16:20.528 4091D940 info 'App'] ADDSERVER
[2010-07-20 09:16:20.528 429C0940 info 'App'] MessageQueue::RecvMessage - Queue id is 0
[2010-07-20 09:16:20.539 4091D940 info 'App'] Already connected.
[2010-07-20 09:16:20.540 4091D940 error 'App'] addserver: Error occured while adding users for reflex.primp-industries.com ..rolling back. User PRIMP-INDUSTR
IES.COM\primp does not exist. .

For whatever reason, it's unable to locate the user in the domain. However, if you do something like "id " I can verify that it does see the user. I can also verify by running lw-find-user-by-name:

[vi-admin@tancredi bin]$ ./lw-find-user-by-name primp
User info (Level-0):
====================
Name:     primp
SID:      S-1-5-21-503341760-968948550-2164105906-1105
Uid:      1058014289
Gid:      1058013696
Gecos:    primp primp
Shell:    /bin/bash
Home dir: /home/local/PRIMP-IND/primp

Might be another bug in vMA 4.1 ....

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
lamw
Community Manager
Community Manager

Okay, I got it working and you may be running into the issue due few potential reasons.

1) After joining vMA to AD, you must reboot ... this was my issue

2) You only need to use the "2 slashes" if you specify --username from the CLI as the first "slash" would need to be escaped, else you only need to use "1 slash" if you're being prompted.

3) You're specifying the incorrect user and/or domain

For issue #2: You will need to do one of the following:

a)

[vi-admin@tancredi ~]$ sudo vifp addserver reflex.primp-industries.com --authpolicy adauth --username PRIMP-IND\\primp

b)

[vi-admin@tancredi ~]$ sudo vifp addserver reflex.primp-industries.com --authpolicy adauth
Enter username for reflex.primp-industries.com: PRIMP-IND\primp

For issue #3, you may be providing the wrong username and/or domain. The easiest way to figure this out is to use Likewise's lw-find-user-by-name command:

[vi-admin@tancredi ~]$ /opt/likewise/bin/lw-find-user-by-name primp
User info (Level-0):
====================
Name:     primp
SID:      S-1-5-21-503341760-968948550-2164105906-1105
Uid:      1058014289
Gid:      1058013696
Gecos:    primp primp
Shell:    /bin/bash
Home dir: /home/local/PRIMP-IND/primp

The full username including domain that you must use is PRIMP-IND/primp as seen by the Home dir setting. You will need to substitute whatever username you're trying to query and ensure that matches up before providing that as "adauth" to vifp

Hopefully this help

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
damiankarlson
Enthusiast
Enthusiast

Hey guys, I think I'm having the same sort of issue.

1.) I downloaded and installed VMA

2.) I joined it to the domain, rebooted and then verified it with "sudo domainjoin-cli query"

3.) Logged in as vi-admin, I issue "vifp addserver fqdn-vcenterserver --authpolicy adauth"

4.) When prompted for the username, I get "Error: failed to add users" for any of the following responses: DOMAIN\username (with 2 slashes, but this forum breaks that), DOMAIN/username, or simply username

5.) When I enter DOMAIN\username, I don't get prompted for the password.

Any ideas?

Twitter: @sixfootdad Blog: damiankarlson.com Podcast: professionalvmware.com/brownbags
Reply
0 Kudos
lamw
Community Manager
Community Manager

If you take a look at my previous post, you'll realize there is a typo in VMware's documentation and I mentioned what you need to use in terms of the "slashes" that are required.

If you added your vCenter server and you waited for the username to be prompted, the proper syntax will be "DOMAIN\username" and if you get no output after the command, it means it was successful. You can easily validate that by listing all your fastpass targets and you'll notice there are two types: fpauth and adauth which are for fastpass auth using the normal credentials OR aduath where it's using AD

To do so, run:

[vi-admin@tancredi ~]$ vifp listservers -l
esx4-1.primp-industries.com     ESX     fpauth
manaslu.primp-industries.com    vCenter fpauth
esxi4-3.primp-industries.com    ESXi    fpauth
reflex.primp-industries.com     vCenter adauth

You can see the very last entry was added using adauth

Hopefully this clears up any confusion.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

damiankarlson
Enthusiast
Enthusiast

Yes, thank you William, that does clear up a bit of confusion. After its been added is the expected behavior that I should be able to login to VMA using my domain credentials and run vicfg commands against specific hosts without having to reauthenticate each time?

When I login using my domain credentials (which has full admin access in vCenter), and I attempt to run a command like vicfg-nics -l --vihost esxhostname, I get prompted for a username and password. Entering DOMAIN\username and password gets me "Error connecting to server at 'https://localhost/sdk/webService': Connection refused"

I guess I just want to make sure that its not working correctly, and not that I have different expectations.

Thanks so much for your help.

Twitter: @sixfootdad Blog: damiankarlson.com Podcast: professionalvmware.com/brownbags
Reply
0 Kudos
Silverchenau
Enthusiast
Enthusiast

Yes, I have exact same trouble as Damina mentioned above.

I haven't touched server for over night. When I tried to log in again this morning, I saw following respond.

$ vifp addserver myvCenter.mydomain.com --authpolicy adauth

Enter username for myvCenter.mydomain.com: mydomain\myusername

That's it. The screen finished without asking me to even typing in password.

If you do a listservers, you will see vcenter server is there.

Then, I tried to run vicfg-nics -l, I got following.

$ vicfg-nics -l

Enter username: root

Enter password:

Error connecting to server at 'https://localhost/sdk/webService': Connection refused

I tired to remove vcenter from list and reboot vMA. nothing works.

Can you explains why it happens?






- Silver

My Vmware blog: http://geeksilverblog.com

- Silver My Vmware blog: http://geeksilverblog.com
Reply
0 Kudos
Silverchenau
Enthusiast
Enthusiast

If I may, I would like to add some interesting facts.

I tried the "id" command, I was log in as vi-admin. so it shows vi-admin.

Then, I tried to use /opt/likewise/bin/lw-find-user-by-name myusername

it says failed to located users. No such user.

Then, I logoff and log on as mydomain\myusername, I successfully logged in. (Does it proves I have added vMA to domain successfully?).

I also double check my domain and I can see my VMA machine account.

But my domain account doesn't allow me to use vifp and also I use /opt/likewise/bin/lw-find-user-by-name myusername to look for my domain user again, I got same failed to located users. No such user.

If I can recall, I encountered following things when I tried to join my vma to domain.

I got

Warning: Unknown pam module.

The likewise PAM module cannot be configured for the wbem service. This servics uses the '$ISA/pam_unix.so' module, which is not in this

programs' list of known modules. Please email Likewise technical support and include a copy of /etc/pam.conf or /etc/pam.d

Warning: A resumeable error occured while processing a module.

Even though the configuration of 'pam' was executed, the configuration did not fully complete. Please contact Likewise support.

SUCCESS.

If I use sudo domainjoin-cli query, it shows everything correctly.

Was my joining to domain success or failure? Why I can't search my domain account?






- Silver

My Vmware blog: http://geeksilverblog.com

- Silver My Vmware blog: http://geeksilverblog.com
Reply
0 Kudos
lamw
Community Manager
Community Manager

Did you actually initialize and set your fastpass target? The only reason you would see this error:

"https://localhost/sdk/webService': Connection refused"

is that the script is trying to connect locally which is not correct, as it's neither a vCenter or ESX(i) target.

To initialize the target in question which is your vCenter host, you need to do the following:

[vi-admin@tancredi ~]$ vifptarget -s reflex.primp-industries.com

[vi-admin@tancredi ~][http://reflex.primp-industries.com|http://reflex.primp-industries.com]$ esxcfg-nics -l --vihost himalaya.primp-industries.com
Name    PCI     Driver     Link Speed    Duplex MAC Address        MTU    Description
vmnic0  06:00.0 e1000e     Up   1000Mbps Full   00:30:48:d9:58:6a  1500   Intel Corporation 82574L Gigabit Network Connection
vmnic1  07:00.0 e1000e     Down 0Mbps    Half   00:30:48:d9:58:6b  1500   Intel Corporation 82574L Gigabit Network Connection

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
lamw
Community Manager
Community Manager

Please take a look at my previous response, you are in the same boat. You did not active the fastpass target and the script by default will try to connect to localhost which is not what you want.

Also as I mentioned, to verify if you added a target successfully to vMA, you need to use "vifp listservers" and to see what authentication policy was used, you'll want to use -l flag

[vi-admin@tancredi ~]$ vifp listservers -l
esx4-1.primp-industries.com     ESX     fpauth
esxi4-3.primp-industries.com    ESXi    fpauth
manaslu.primp-industries.com    vCenter fpauth
reflex.primp-industries.com     vCenter adauth

It's worth while to check out the vMA documentation which provides you with all this information

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
lamw
Community Manager
Community Manager

Here is a more detail post regarding fpauth & adauth - http://www.virtuallyghetto.com/2010/07/vma-41-authentication-policy-fpauth-vs.html

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
damiankarlson
Enthusiast
Enthusiast

William, seriously, thanks for your help. I don't know if I'm just too dense lately or what, but I swear that VMA documentation was giving me fits. Your blog post, on the other hand, was much clearer -- thank you for that! I've subscribed to it, BTW. There's some really good stuff in there.

On to the topic at hand -- I killed the installation of VMA that I had yesterday, removed it from the domain, etc -- then I deployed a fresh copy and set it up, joined to the domain, etc.

Following your blog for the AD integration steps:

1.) Logged in as vi-admin and added the vCenter target using my AD credentials (I'm a domain admin and have full admin rights in vCenter)

2.) Verified the target was setup using adauth

3.) Opened up another Putty session and logged into VMA using my AD credentials

4.) Set the fastpass target to the newly added vCenter

5.) Did an esxcfg-nics -l --vihost esxserver (using the name of one of my primary ESX 4.0 hosts), and I was prompted for a username

After entering my username and password, the command worked, but I get prompted for username and pass for every command after that. Based on your blog, I don't believe that this is expected behavior.

Twitter: @sixfootdad Blog: damiankarlson.com Podcast: professionalvmware.com/brownbags
Reply
0 Kudos
lamw
Community Manager
Community Manager

The expected behavior is what is stated on my blog.

Few things to consider, ensure you do perform a reboot of your vMA host after you join the domain and before you add new targets. When you're removing the target from AD, ensure you actually delete the object from your AD server if it has not been already. Also make sure the name of the ESX(i) host, is the same name as shown in vCenter server, if you added the host using FQDN, then you need to specify FQDN to --vihost

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
Silverchenau
Enthusiast
Enthusiast

hi,guys:

I'm having exact same issues as damiankarlson has. I always got prompt for username and password when I tried to run

vmware-cmd -l --vihost esxhost.domain.com

Strange enough, when I tried to add vCenter into server list, system only ask for username but not password.

$ vifp addserver vcenter.mydomain.com --authpolicy adauth

Enter username for vcenter.mydomain.com: domain\myusername

For some reason, I don't think vMA pass credential successfully since it doesn't store password for adauth in local store.






- Silver

My Vmware blog: http://geeksilverblog.com

- Silver My Vmware blog: http://geeksilverblog.com
Reply
0 Kudos
lamw
Community Manager
Community Manager

Are you sure you followed the instructions as listed?

The reason it's not asking you for the password when you add the target using adauth is because the vMA host has been joined to the domain and if you logon with a user that has the permissions to connect to one of these adauth hosts, it will use those credentials and do a straight passthrough. Hence, you just need to use a valid AD account that has the permissions to connect to your vCenter. Then you will just login to vMA authenticating with that user, then set the proper target and you should be able to run the command as I've shown in my blog post and you will not be prompted for additional credentials.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
Silverchenau
Enthusiast
Enthusiast

hi, William:

Yes, I am using domain admin account to log in to vMA without issue. Then, I tried to run command against one of hosts. Regardless you are using fpauth or adauth to access vCenter, I always end with prompt username and password. Once I pass this authentication for vCenter, I do can get host information.

Unless there was issue when I joined vMA to domain. As you can see from previous post, there are few warnings before SUCCESS. Are those warning related?

Thanks a lot, William






- Silver

My Vmware blog: http://geeksilverblog.com

- Silver My Vmware blog: http://geeksilverblog.com
Reply
0 Kudos
lamw
Community Manager
Community Manager

If you read my blog carefully, you'll notice that I've demonstrated both fpath and adauth and adauth works as expected for me. I would recommend that you remove your vMA host from your AD host and ensure it's been deleted and start over and ensure you follow all the necessary steps. Note in my example, I use "Administrator" to join vMA to my AD domain and used "primp" which is a valid user that is allowed to connect to our vCenter.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
Silverchenau
Enthusiast
Enthusiast

hi, Guys:

I got Vmware support on the phone. After chatting with them, I believe "everytime you use --vihost, you are required to type in username and password".

That explains a lot.

If you want to really use AD authentication, you need to join vCenter (of course) and ESX(i) into domain.

Then, you need to target the right server and if all servers joined the domain, you should be able to run the command.

That's on theory. I'm still testing it.






- Silver

My Vmware blog: http://geeksilverblog.com

- Silver My Vmware blog: http://geeksilverblog.com
Reply
0 Kudos
lamw
Community Manager
Community Manager

If you want to really use AD authentication, you need to join vCenter (of course) and ESX(i) into domain.

Yes, that's the whole point. I assumed your vCenter is part of your AD domain. You ESX(i) host don't have to, unless you plan on AD passthrough to the host individually, then in that case, you'll need to have them joined AD.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos