vCenter

 View Only
  • 1.  vCenter server appliance loses AD permissions after reboot

    Posted Nov 12, 2012 07:17 PM

    vCenter Server Appliance 5.0 (based on SLES 11) joined to AD domain. I have added the domain's Domain Admins group at the vCenter object level in Permissions tab (Propagate: yes, shows up as DOMAIN\domain^admins) and am able to log in with the vSphere client to the vCenter Server Appliance using my Windows session credentials.

    However, if the appliance VM reboots, the DOMAIN\domain^admins entry is missing and I can only log in as root. If I add the group back, then I can log in using Windows session credentials like any other vCenter server.

    On the vCenter Server Appliance management webpage (https://hostname:5480), Authentication tab, Status sub-tab, AD Status is Enabled with the correct AD Domain. "Active Directory" sub-tab has the check box for "Active Directory Enabled" checked, even after reboot.

    The appliance does not lose its domain membership or AD settings, just the permission within vCenter does not persist across a reboot. I have rebooted the appliance several times and noticed this each time (guest OS reboot, not hard VM reset).

    Anybody else notice this? Why is this happening?



  • 2.  RE: vCenter server appliance loses AD permissions after reboot

    Posted Nov 12, 2012 07:44 PM

    Haven't noticed this ... Will keep an eye on it though...

    Anything in the logs?



  • 3.  RE: vCenter server appliance loses AD permissions after reboot

    Posted Nov 12, 2012 08:29 PM

    Actually, yes:

    2012-11-12T14:05:39.643-05:00 [7FFFF3ADD700 warning 'UserDirectory'] Group lookup failed for 'DOMAIN\domain^admins'
    2012-11-12T14:05:39.686-05:00 [7FFFF3ADD700 error 'Default'] Removing invalid permission 201: user DOMAIN\domain^admins not found
    2012-11-12T14:05:39.686-05:00 [7FFFF3ADD700 warning 'Default'] Removing permission for entity "group-d1", group "DOMAIN\domain^admins", role -1.  Reason: User or group not found

    So after it boots up and starts vCenter service, it looks at its permissions and removes any invalid ones. And these are being flagged as invalid. I wonder why? They are valid to add after it has booted etc.



  • 4.  RE: vCenter server appliance loses AD permissions after reboot

    Posted Nov 12, 2012 08:36 PM

    Interesting, this KB talks about the opposite, if I read it correctly that is, it's getting late: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1025569