Unable to add permissions to an Active Directory user on an ESXi 4.1 host joined to an Active Directory domain
search cancel

Unable to add permissions to an Active Directory user on an ESXi 4.1 host joined to an Active Directory domain

book

Article ID: 307386

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • After joining an ESXi host to an Active Directory (AD) domain, you experience these symptoms:

    • The ESXi Admins group is not automatically assigned the Administrator role in the Permissions tab even though the ESXi Admins group exists in the AD domain.
    • When trying to assign a role to an AD user, you see that:

      • When you click Add in the Assign Permissions windows, you are able to choose the correct AD domain from the Domain dropdown.
      • A proper list of AD users and groups is displayed in the Users and Groups pane.
      • Entering an AD user or group in the Search field and clicking the Search button finds the appropriate user or group.
      • An AD user or group can be added to the list of Users or Groups, but clicking OK reports the error:

The following names were not found: <domain>\<user>.

  • If you have enabled logging for the lsassd daemon, the lsassd log file reports errors similar to:

    20110316210752:DEBUG:0xff996b90:[LsaSrvFindUserByName() /build/mts/release/bora-301967/likewise/esxi-esxi/src/linux/lsass/server/api/users.c:109] Error code: 40008 (symbol: LW_ERROR_NO_SUCH_USER)
    20110316210752:VERBOSE:0xff996b90:[LsaSrvFindUserByName() /build/mts/release/bora-301967/likewise/esxi-esxi/src/linux/lsass/server/api/users.c:140] Failed to find user by name (name = 'sysman\jgray') -> error = no such entry, client pid = 0

    Note: For information on enabling logging for the lsassd daemon, see Enabling logging for Likewise agents on ESX/ESXi 4.1.




Environment

VMware ESXi 4.1.x Installable
VMware ESXi 4.1.x Embedded

Cause

This issue may occur if a preferred domain controller has been set in the Advanced Settings on the ESXi host.

Resolution

To resolve this issue, enter the AD domain name in the Domain: field and click Join Domain.

To enter the AD domain name in the Domain: field and click Join Domain.
  1. In the vSphere Client, click the Configuration tab for the ESXi host.
  2. Click the Advanced Settings link under Software. The Advanced Settings window appears.
  3. Click the UserVars item in the left pane.
  4. The second parameter listed should be UserVars.ActiveDirectoryPreferredDomainControllers. If there is a value set for this parameter, delete it and then click OK.
  5. In the Configuration tab, click Software > Authentication Services.
  6. Click the Properties link at the top right.
  7. Click Leave Domain.
  8. Click OK in the Leave Domain Warning window.
  9. Click OK.
  10. Click the Properties link at the top right of the Authentication Services Settings window.
  11. Select Active Directory from the Select Directory Service Type dropdown.
  12. Enter the AD domain name in the Domain: field and click Join Domain.
  13. Enter appropriate AD credentials when prompted.
Note: If your problem still exists after trying the steps in this article, please file a support request with VMware Support and note this Knowledge Base article ID (1036554) in the problem description. For more information, see How to Submit a Support Request.


Additional Information

Active Directory ドメインに結合された ESXi 4.1 ホストで Active Directory ユーザーに権限を追加できない
在已加入 Active Directory 域的 ESXi 4.1 主机上无法向 Active Directory 用户添加权限