Hello,
Since last Friday, we are encountering a strange behavior: Our backup Team has reported to us they are not able anymore to backup VM's because of some missing permissions.
This is strange as everything was working fine.
We had a look at the vCenter side and using the web client , trying to browse datastores , nothing appears ( no files are listed ).
We had a look at the user permissions and the user is in the administrator group with all the access.
We have ask our backup team to test with a another user also part of the administrator group and everything is working. We can browse the datastore using vSphere Web Client.
We have change the permission of the user from administrator to read-only and move it back to the administrator group : same issue.
vCenter ( windows ) has been completely rebooted.
No updates ( vmware or windows ) have been applied.
Does someone already encounter the same issue ?
Any clue where to look at ?
Infrastructure is running vsphere 5.5 and vcenter 5.5 ( unfortunately it can't be upgraded to v6 for the moment )
Thanks in advance for your help and advise
Can connect to one of the host directly (taking vCenter out of the equation) what do you see?
Have you tried clone/copy the the account and reviewing the Data Stores from the new account?
Can you view the datastore from the admin account?
The only thing I can think off is database issue
Yes If I connect directly to the host ( via vsphere client and using root account ) I can browse the datastore.
The account is an account from AD. I can't clone it. But I have used another account from that AD, give the administrator role to that new account and everything is ok.
If I use the administrator account or an account which has the right to browse datastore, it works.
I have try to clone the administrator role and assign the problematic user to that new role. Same issue
Maybe you right there is something wrong in the DB related to that user
Yeah thats though one, maybe a brandnew user account as that would write a new entry into the DB?
Creating a new user on the local Domain, everything is working.
I'm not managing the AD , I need to ask the team managing it to create a new user and see if the problem persist with the new user. I keep this post up to date once I have news
The issue is not blocking us as we use a workaround which is to use another user from the AD. But I would like to understand what happen and if there is a solution to solve it.
The user we use has a particular name that has been declared in some ISO documentation. If the ISO documentation need to be modify by adding a new user, this is not a problem but I would avoid some administrative work if the problem can be understand and solve technically
By the way, thanks for helping
That's an interesting one.
When you talk about the "administrator group", what exactly are you referring to. Is it the local Windows Administrator group, or is it an administrator group that being used to configure permissions in the vCenter Server inventory?
Are the current user account, and the one that works member of the same domain groups?
André
Hi André,
By "administrator group" I'm mean the one being used to configure permissions in the vCenter Server inventory.
Yes both user are coming from the same domain group
Thanks for helping
Just to be sure I understand this correctly:
André
Hi Andre,
This is exactly that !
We have made some test and we found the problem.
I explain you what we did :
The problematic user has been cloned on AD directory. I give him the administrator access on vsphere => same issue. Can't browse datastore
We have change the name of the cloned user => same issue.
We have move that user in another OU in AD => same issue.
The problem user was part of several group ( member of ) on AD Side. We remove some groups and magically everything was working !
One by one, we put back the group until the problem reappear. We have identify the problematic group.
It seems that if the User is a member of a particular group ( in that case, group is VPN_Access ) , the user is not able to browse datastore.
I don't understand what could cause that conflict ! We will have a look at the VPN_Access group to see if something has changed
The only thing that I can think of, is that the VPN_Access group is also being used somewhere within the vCenter Server's permissions!? And this group has restricted permissions on some objects.
André