"Password management operation failed"
operationsmanager.log
file, the following errors are observed:YYYY-MM-DDTHH:MM:SS.sssZ DEBUG [vcf_om,xxxxxxxxxxxxx,abcd] [c.v.v.p.helper.NsxtApiUtil,om-exec-5] Failed to get NSXT user details : {"module_name":"com mon-services","error_message":"The credentials were incorrect or the account specified has been locked.","error_code":403} with status :
YYYY-MM-DDTHH:MM:SS.sssZ ERROR [vcf_om,xxxxxxxxxxxxx,abcd] [c.v.v.p.u.c.AbstractPasswordChanger,om-exec-5] The credentials were incorrect or the account specified has been locked. com.vmware.vcf.passwordmanager.exception.PasswordUpdateException: The credentials were incorrect or the account specified
In the /var/log/vmware/vcf/lcm/lcm-debug.log
file, the following entry is observed:Exception occurred during NSX API invocation java.util.concurrent.ExecutionException: com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized)
=> {messages = [],data = struct => {error_message=The credentials were incorrect or the account specified has been locked., error_code=403, module_name=common-services},errorType = UNAUTHORIZED}
Because of this, it is necessary to manually reset the password in NSX to match the one stored in SDDC. Once this has been completed, password operations for NSX in the SDDC manager will work again.
Pull the most recent passwords from the SDDC Manager
NOTE: The last known NSX-T passwords stored in SDDC Manager must be used to reset the manager and/or edge passwords.
Steps for the NSX-T Managers
Only needs to be performed on one manager per cluster.
echo "" >/etc/security/opasswd
/etc/init.d/nsx-mp-api-server stop
passwd
passwd admin
passwd audit
touch /var/vmware/nsx/reset_cluster_credentials
/etc/init.d/nsx-mp-api-server start
For VCF versions 4.3.0.0 up till 5.0.0.1, use:
pam_tally2 -u root -r
pam_tally2 -u admin -r
pam_tally2 -u audit -r
For VCF versions starting from VCF 5.1.0.0, use:
/usr/sbin/faillock --user root --reset
/usr/sbin/faillock --user admin --reset
/usr/sbin/faillock --user audit --reset
8. Retry the credential operation from the SDDC Manager UI.
echo "" >/etc/security/opasswd
/etc/init.d/nsx-edge-api-server stop
passwd
passwd admin
passwd audit
touch /var/vmware/nsx/reset_cluster_credentials
/etc/init.d/nsx-edge-api-server start
pam_tally2 -u root -r
pam_tally2 -u admin -r
pam_tally2 -u audit -r
For VCF versions starting from VCF 5.1.0.0, use:
/usr/sbin/faillock --user root --reset
/usr/sbin/faillock --user admin --reset
/usr/sbin/faillock --user audit --reset
8. Retry the credential operation from the SDDC Manager UI.
clear user admin password-expiration
clear user root password-expiration
clear user audit password-expiration
nsxtmgr> set user admin password-expiration 9999 nsxtmgr> set user audit password-expiration 9999 nsxtmgr> set user root password-expiration 9999
chage -l root
chage -l admin
chage -l audit
curl http://localhost/locks | json_pp > releaseLock.json curl -X PUT -H "Content-Type:application/json" http://localhost/locks -d @releaseLock.json
2021-04-09T13:41:44.830+0000 INFO [vcf_lcm,0000000000000000,0000,precheckId=########-####-####-####-25e8fb993243,resourceType=NSX_T,resourceId=nsx.test.local] [c.v.e.s.l.p.i.nsxt.NsxtPrimitiveImpl,pool-3-thread-49] Completed precheck task NSX_T_PASSWORD_VALIDITY_CHECK on resource id nsx.test.local with status RED
get user admin password-expiration
" on NSX-T Manager may show as "Password expiration not configured for this user
".
set user admin password-expiration 9999
" (as admin) OR 'chage -M 9999 root
' (as root) before performing precheck/upgrade or remediation/rotation.
set auth-policy api lockout-period 0 && set auth-policy api lockout-reset-period 0