Updating the host profile with a new ESXi root password fails with the errors: "Profile validation failed: check the profile for errors" and "Required parameter is missing."
Article ID: 312549
Updated On:
Products
Issue/Introduction
Symptoms:
- Updating Host profile with new ESXi Root Password Fails with
"Profile validation failed: check the profile for errors"and"Required parameter is missing"errors. - In
/var/log/vmware/vpxd/vpxd.log,we were able to find the following error when updating the host profile:
[YYYY-MM-DDTHH:MM:SS] info vpxd[06733] [Originator@6876 sub=Default opID=l7nk989w-8862775-auto-59ykh-h5:70537677-73] [VpxLRO] -- ERROR task-1485428 --
hostprofile-610 -- vim.profile.host.HostProfile.update: vim.fault.ProfileUpdateFailed:
Result:
(vim.fault.ProfileUpdateFailed) {
faultCause = (vmodl.MethodFault) null,
faultMessage = <unset>,
failure = (vim.fault.ProfileUpdateFailed.UpdateFailure) [
(vim.fault.ProfileUpdateFailed.UpdateFailure) {
profilePath = (vim.profile.ProfilePropertyPath) {
profilePath = "security_SecurityProfile_SecurityConfigProfile.security_UserAccountProfile_UserAccountProfile["680###########################################301"]",
policyId = "security.UserAccountProfile.PasswordPolicy",
parameterId = "password",
policyOptionId = <unset>
},
errMsg = (vmodl.LocalizableMessage) {
key = "com.vmware.vim.profile.host.UpdateError.InvalidPassword.label",
arg = (vmodl.KeyAnyValue) [
(vmodl.KeyAnyValue) {
key = "error",
value = "b'Bad passphrase (not enough different characters or classes)\n'" }
],
message = "Password validation error: b'Bad passphrase (not enough different characters or classes)\n'." }
}
],
- Further checking the password policy for this ESXi host , the following can be found:
(vmodl.KeyAnyValue) { key = "module", value = "/lib/security/$ISA/pam_passwdqc.so"
}, (vmodl.KeyAnyValue) { key = "arguments", value = "retry=3 min=disabled,disabled,disabled,disabled,8"
}
Environment
VMware vSphere ESXi 7.x
Cause
- The current configuration's
retry=3 min=disabled,disabled,disabled,disabled,8", sets the password complexity requirement to require eight characters from four character classes with 3 trials in case of wrong entry. - This means that the password is weak; Trying a different password or changing the password policy would do.
Resolution
- Use an alternative password that complies with the defined security policy requirements.
Refer: ESXi Passwords and Account Lockout for more information.
Workaround:
To workaround this issue in order to use the same password, do the following:
- Navigate to Hosts and Clusters in the vSphere inventory and expand the relevant cluster.
- Select the first ESXi host and go to the Configure tab.
- Under the System section, click Advanced System Settings.
- Click Edit on the Advanced System Settings page.
- Use the key filter to search for Security.PasswordHistory and adjust the setting as per your organization's requirements.
- Search for
Security.PasswordQualityControland update its value to:retry=3 min=disabled,disabled,disabled,7,7 - Reboot the host.
- Extract a new host profile and use it to change the root password.
Feedback
