无法访问 Active Directory 时域组权限被移除
search cancel

无法访问 Active Directory 时域组权限被移除

book

Article ID: 301282

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
免责声明: 本文是 Permission for Domain Group removed when Active Directory is not reachable (51625) 的翻译版本。 尽管我们会不断努力为本文提供最佳翻译版本,但本地化的内容可能会过时。 有关最新内容,请参见英文版本。
 
 
  • 如果由于任何可能的网络或 Active Directory 服务器问题而无法访问 Active Directory,则 vCenter Server 在此期间尝试验证域用户和组时,将从 vCenter Server > 权限选项卡中移除域组。
  • 如果域用户是单独添加的,则不会移除。
  • 按照记录的行为,应同时移除两者(域组和域用户),但是据观察,仅移除域组。
  • %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vpxd\vpxd.log 中,您会看到类似以下内容的条目:
     [08728 error '[SSO]'] [UserDirectorySso] GetUserInfo exception: class Vmacore::Authorize::AuthUserNotFoundException(Group Test1\Domain Admins)
     [08728 error '[SSO]'] [UserDirectorySso] NormalizeUserName(WIN\Domain Admins, true) exception: class Vmacore::Authorize::AuthUserNotFoundException(Group Test1\Domain Admins) 
     [08728 error 'Default'] Bad group WIN\Domain Admins, removing
     [08728 info '[SSO]'] [UserDirectorySso] GetUserInfo(WIN\Domain Admins, true)
     [08728 info '[SSO][SsoAdminFacadeImpl]'] [Lookup]
  • /var/log/vmware/sso/vmware-sts-idmd.log 中,您会看到类似以下内容的条目:
     WARN [ActiveDirectoryProvider] There may be a domain join status change since native AD is configured.ActiveDirectoryProvider can function properly only when machine is   properly joined
     WARN [LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.WinLdapClientLibrary, error code: 81
     WARN [ServerUtils] cannot bind connection: [ldap://addc.Test1.local, null]
     ERROR [ServerUtils] cannot establish connection with uri: [ldap://addc.Test1.local]
     INFO [ActiveDirectoryProvider] Failed to find group Domain [email protected] to establish server connection via ldap search
     ERROR [IdentityManager] Failed to find group [Domain [email protected]] in tenant [vsphere.local]
     ERROR [ServerUtils] Exception 'com.vmware.identity.idm.InvalidPrincipalException: Principal id Domain [email protected] does not exist'
     com.vmware.identity.idm.InvalidPrincipalException: Principal id Domain [email protected] does not exist


Environment

VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0
VMware vSphere ESXi 6.5

Cause

出现此问题是因为设计使然,如果 Active Directory 不可用,且 vpxd 无法验证权限,那么将移除域用户和组。将在 vpxd 服务启动时以及按照管理 > vCenter Server 设置 > Active Directory > 启用验证中的定义定期执行此操作。

Resolution

当前,没有解决办法。

要临时解决此问题,请导航到 vCenter Server > 管理 > vCenter Server 设置 > Active Directory > 启用验证禁用验证。

Powered by Wolken Software