Friday, January 28, 2011

ESXi Active Directory Lookup failure

Call "UserDirectory.RetrieveUserGroups" for object "ha-user-directory" on ESXi "" failed.

Wha?

ESXi 4.1.0 v320137, evaluation license

Looks like a known bug: http://communities.vmware.com/message/1688839.

Note my message there at the bottom that says that the actual authentication and user/group add/del works fine... you just have to manually type the users/groups.

Here's my traceback in /host/messages:

Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.905 FFDC2B90 verbose 'UserDirectory' opID=C6A12DE4-00000176] Searching for LDAP server for AD
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.909 FFDC2B90 verbose 'UserDirectory' opID=C6A12DE4-00000176] Using LDAP base dn: DC=ad,DC=mycompany,DC=com
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.910 FFDC2B90 verbose 'SysCommandPosix' opID=C6A12DE4-00000176] ForkExec '/bin/kinit', pid 30416, rc 0
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.959 FFDC2B90 error 'UserDirectory' opID=C6A12DE4-00000176] LDAP error code: 8 (Strong(er) authentication required)
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.959 FFDC2B90 error 'App' opID=C6A12DE4-00000176] Error accessing directory: Can't bind to LDAP server for domain: AD
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.959 FFDC2B90 info 'App' opID=C6A12DE4-00000176] AdapterServer caught exception: 68130fd8
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 info 'Vmomi' opID=C6A12DE4-00000176] Activation [N5Vmomi10ActivationE:0x68094b10] : Invoke done [retrieveUserGroups] on [vim.UserDirectory:ha-user-directory]
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 verbose 'Vmomi' opID=C6A12DE4-00000176] Arg domain:
Jan 29 00:43:07 Hostd: "AD"
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 verbose 'Vmomi' opID=C6A12DE4-00000176] Arg searchStr:
Jan 29 00:43:07 Hostd: ""
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 verbose 'Vmomi' opID=C6A12DE4-00000176] Arg belongsToGroup:
Jan 29 00:43:07 Hostd: (null)
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 verbose 'Vmomi' opID=C6A12DE4-00000176] Arg belongsToUser:
Jan 29 00:43:07 Hostd: (null)
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 verbose 'Vmomi' opID=C6A12DE4-00000176] Arg exactMatch:
Jan 29 00:43:07 Hostd: false
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 verbose 'Vmomi' opID=C6A12DE4-00000176] Arg findUsers:
Jan 29 00:43:07 Hostd: true
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 verbose 'Vmomi' opID=C6A12DE4-00000176] Arg findGroups:
Jan 29 00:43:07 Hostd: true
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 info 'Vmomi' opID=C6A12DE4-00000176] Throw vmodl.fault.SystemError
Jan 29 00:43:07 Hostd: [2011-01-29 00:43:07.960 FFDC2B90 info 'Vmomi' opID=C6A12DE4-00000176] Result:
Jan 29 00:43:07 Hostd: (vmodl.fault.SystemError) {
Jan 29 00:43:07 Hostd: dynamicType = ,
Jan 29 00:43:07 Hostd: faultCause = (vmodl.MethodFault) null,
Jan 29 00:43:07 Hostd: reason = "Error accessing directory",
Jan 29 00:43:07 Hostd: msg = "",
Jan 29 00:43:07 Hostd: }


Also seems from the logs that there's something running in the background using the credentials that added the host to AD for some other lookup. Not sure how I feel about that one.

I'll see if I can devote any more time to this next week. As it is, it just looks to be an obnoxious bug...

4 comments:

  1. AD is 2008R2. I'm pretty sure the ticket is "LDAP error code: 8 (Strong(er) authentication required)" but I'll need to doublecheck with our ad crew and/or bind some other random box to AD via Likewise to see if I can duplicate anything.

    ReplyDelete
  2. Enabling NTP fixed this issue for me.

    ReplyDelete
    Replies
    1. This issue was in an old version of vCSA, I've had pretty good luck with recent 5.5 versions.

      Delete
  3. In ESXi 6.0 I also fixed this same issue with enabling NTP.

    ReplyDelete