I have a single host that is managed by vCenter 6.5 and there in vCenter read-only AD user defined in global permission. The other 6.5 ESXis have local user and I'm able to connect to them.
The problem is that I cannot connect with ssh or web ui "Cannot complete login due to an incorrect user name or password."; "A user attempted to log in with an unknown or invalid username".
I've tried re-adding user in vCenter, creating local one on host via web ui and powercli, still no luck.
I have to notice that vCenter defined user's password doesn't meet ESXi 6.5 complexity, I also tried setting "Security.PasswordQualityControl" to "retry=3 min=disabled,disabled,disabled,disabled,disabled" (it was default) and got "a general system error occurred: Sorry, you've mistyped the password that was generated for you." while trying to create local user on host.
So how do I create a read-only user for monitoring?
Is the user listed when doing;
cat /etc/security/access.conf
waxcab Asking the questions in right community will help you to get quicker answer.
Try posting the question under VMware vSphere™ Forum.
Are you sure you created the user correctly?
Log on to an ESXi host -> Manage -> Security & users -> Users -> Add user -> complete "Add a user"
When completed:
Host -> Actions -> Permissions -> Add user -> enter newly created user name -> select read-only from the right drop down menu -> optional: propagate to all children
Which user have you used to add the Host to vCenter? Does this Account work via SSH and Host Client?
I'm sure, I made exact these steps as root, which can login via ssh
Try the following procedure:
Security.PasswordQualityControl is already set to retry=3 min=disabled,disabled,disabled,7,7
Lockdown mode disabled on host
I can see my user in host's permission as read-only
I set a new password for my user, but still can't login nor with ssh or web ui
Open a SSH session with root and fire up this command;
tail -f /var/log/auth.log
Open a new SSH session and try to login with the other user. What is the error shown in the first screen (the one with the tail command)
The account may be locked:
pam_tally2 --user root
[root@srv-hyp-4:~] tail -f /var/log/auth.log
2019-12-01T05:06:27Z sshd[1141668]: /etc/ssh/sshd_config line 21: Unsupported option PrintLastLog
2019-12-01T05:06:27Z sshd[1141668]: Connection from 172.29.129.136 port 25097
2019-12-01T05:06:31Z sshd[1141670]: pam_access(sshd:auth): access denied for user `esximon' from `172.29.129.136'
2019-12-01T05:06:36Z sshd[1141670]: [module:pam_lsass]pam_sm_authenticate: failed [error code:40017]
2019-12-01T05:06:37Z sshd[1141668]: error: PAM: Permission denied for esximon from 172.29.129.136
2019-12-01T05:06:37Z sshd[1141672]: pam_tally2(sshd:auth): user esximon (1000) tally 143, deny 5
2019-12-01T05:06:37Z sshd[1141672]: pam_access(sshd:auth): access denied for user `esximon' from `172.29.129.136'
[root@srv-hyp-4:~] pam_tally2 --user esximon
Login Failures Latest failure From
esximon 145 12/01/19 05:08:03 172.29.129.136
Web ui: "Remote access for ESXi local user account 'esximon' has been locked for 900 seconds after 145 failed login attempts."
I didn't disable zabbix monitoring for host, but changed username that it uses to "esximontest" so there are logs:
But there are no similar logs for "esximon" that I created on the host so I don't know how could it reach 150 fail attempts to login.
Please try to unlock your account and try again:
pam_tally2 --user esximon --reset
Is the user listed when doing;
cat /etc/security/access.conf
pam_tally2 --user esximon --reset won't help, still can't login
cat /etc/security/access.conf
+:dcui:ALL
+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
-:esximon:ALL
-:ALL:ALL
I guess the clue is in the minus?
So I just edited cat /etc/security/access.conf to
+:dcui:ALL
+:root:ALL
+:vpxuser:ALL
+:vslauser:ALL
+:esximon:ALL
-:ALL:ALL
and now esximon is able to login. I think the problem is solved but I still have some questions about the access.conf and its rules.
Good to read you fixed it, here some reading on how access.conf works;
https://linux.die.net/man/5/access.conf
Is this change persistent on ESXi?
I believe so. As long as the ESXi host is not AD joined there should be no reason for the file to change.
Hi,
I had the same problem as initially describe here. I also changed /etc/security/access.conf but there is this line present at the very top:
# This file is autogenerated and must not be edited.
Therefore, my changes are always wiped out. How can I make this persistent? Which service/process is changing this file?
Thanks.