Skip to main content

After Upgrading or Installing vCenter Server U3b or vCenter Server 7.0, lsassd Frequently Core Dumps and Users Fail to Login with Invalid Credentials

 

Symptoms
Logging in fails for users with invalid credentials.  

/var/log/messages shows the following errors for offline domains:
 
2020-01-07T11:08:52.272792+00:00 vCenterFQDN lsassd[48897]: 0x7f3dd0fcb700:Domain 'DomainFQDN' is now offline
2020-01-07T11:08:52.273091+00:00 vCenterFQDN lsassd[48897]: 0x7f3dd0fcb700:Detected domain 'DomainFQDN' offline. Some group information from this domain might be missing.

/var/log/messages shows the following errors indicating lsassd has crashed:
2020-01-07T11:07:48.749200+00:00 vCenterFQDN lwsmd: Restarting dead service: lsass (attempt 1/2)
2020-01-07T11:07:48.749840+00:00 vCenterFQDN lwsmd: Starting service: lsass

/var/core directory has multiple lsassd core files. e.g. core.lsassd.1541
Cause
This issue was introduced in vCenter Server U3b (15129973) while modifying how likewise handles offline domains.  Likewise can return a partial set of group memberships or none for any user associated via group membership with a trusted domain in an offline condition.  This issue also impacts vCenter Server 7.0 GA.
Resolution
This issue is resolved in vCenter Server 6.7 U3g.  For more details please see the release notes.
This issue is resolved in vCenter Server 7.0b.  For more details please see the release notes.
Workaround
  1. Login using SSH to an impacted external PSC or embedded VCSA.
  2. Exclude offline domains by adding to DomainManagerExcludeTrustList.
/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]' "DomainManagerExcludeTrustsList" "Offline domain FQDN" "Offline domain FQDN"

For example,

/opt/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]' "DomainManagerExcludeTrustsList" "NASA1.domain.cloud" "APJ1.domain.cloud"

Note: To gather domains that are offline, refer to messages in the symptoms of this KB (/var/log/messages) or run /opt/likewise/bin/lw-lsa get-status.
 
  1. Restart likewise
/opt/likewise/bin/lwsm restart lwreg
 
  1. Check if the DomainManagerExcludeTrustsList has the excluded domains added to it in the registry.
/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]'
 
  1. Clear the cache.
/opt/likewise/bin/lw-lsa ad-cache --delete-all
 
  1. Try to login with user that was failing.
  2. Confirm group memberships are correct.
/opt/likewise/bin/lw-lsa list-groups-for-user <username>

Comments

Post a Comment

Popular posts from this blog

Error [403] The maximum number of sessions has been exceeded in the H5 client during login or logout

  Symptoms In virgo log, you see messages similar to: [2020-05-19T07:25:45.285Z] [ERROR] http-nio-5090-exec-130 72026859 142953 501051 com.vmware.vise.security.spring.DefaultAuthenticationProvider logout failed for sessionId 142953, clientId 501051 java.lang.IllegalStateException: The specified cardinality of 1..1 for osgi:reference implementing com.vmware.vcenter.apigw.api.ApiGatewaySessionManager in bundle com.vmware.h5ngc requires that exactly one OSGI service satisfies the filtering criteria but no such service was found.         at com.vmware.o6jia.context.ExternalServiceTargetSource.getTarget(ExternalServiceTargetSource.java:99)         at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:192)         at com.sun.proxy.$Proxy159.logout(Unknown Source)   ...
Post a Comment
Read more

Investigating virtual machine file locks on ESXi

      Details Adding an existing virtual machine disk (VMDK) to a virtual machine that is already powered on fails.                 Failed to add disk scsi0:1. Failed to power on scsi0:1   Powering on the virtual machine results in the power on task remaining at 95% indefinitely. Cannot power on the virtual machine after deploying it from a template. Powering on a virtual machine fails with an error: Unable to open Swap File Unable to access a file since it is locked Unable to access a file <filename> since it is locked Unable to access Virtual machine configuration In the /var/log/vmkernel log file, you see entries similar to: WARNING: World: VM xxxx: xxx: Failed to open swap file <path>: Lock was not free WARNING: World: VM xxxx: xxx: Failed to initialize swap file <path>   When opening a console to the virtual machine, you may receive ...
Post a Comment
Read more

"Failed to configure vAPI Endpoint Service at the firstboot time" while installing Windows VC 6.5

  Symptoms While configuring the vAPI EndPoint Service, you experience these symptoms: Windows vCenter Server 6.5 installation fails while configuring the vAPI EndPoint Service vCenter Server 6.5 installation on a Windows Server fails during the vAPI EndPoint Service during the firstboot time. You see the error: Error: An error occurred while starting service 'vapi-endpoint'. Failed to start the vAPI Endpoint Service. Failed to configure vAPI Endpoint Service at the firstboot time. Please file a bug against VAPI   In vapi_firstboot.py_2948_stderr.log file, you see entries similar to: No valid files with pathname: C:\ProgramData\VMware\vCenterServer\logs\vapi\endpoint* found. ERROR starting vapi-endpoint rc: 2, stdout: , stderr: Start service request failed. Error: Service crashed while starting^M vapi firstboot failed Traceback (most recent call last): File "C:\Program Files\VMware\vCenter Server\firstbo...
Post a Comment
Read more