"Password management operation failed"
YYYY-MM-DDTHH:MM:SS.sssZ DEBUG [vcf_om,#############,abcd] [c.v.v.p.helper.NsxtApiUtil,om-exec-5] Failed to get NSXT user details : {"module_name":"com
mon-services","error_message":"The credentials were incorrect or the account specified has been locked.","error_code":403} with status :
YYYY-MM-DDTHH:MM:SS.sssZ ERROR [vcf_om,#############,abcd] [c.v.v.p.u.c.AbstractPasswordChanger,om-exec-5] The credentials were incorrect or the account specified has been locked.
com.vmware.vcf.passwordmanager.exception.PasswordUpdateException: The credentials were incorrect or the account specified
In the /var/log/vmware/vcf/lcm/lcm-debug.log file, the following entry is observed:Exception occurred during NSX API invocation java.util.concurrent.ExecutionException: com.vmware.vapi.std.errors.Unauthorized: Unauthorized (com.vmware.vapi.std.errors.unauthorized)
=> {messages = [],data = struct => {error_message=The credentials were incorrect or the account specified has been locked., error_code=403, module_name=common-services},errorType = UNAUTHORIZED}
Because of this, it is necessary to manually reset the password in NSX to match the one stored in SDDC. Once this has been completed, password operations for NSX in the SDDC manager will work again.
Pull the most recent passwords from the SDDC Manager
NOTE: The last known NSX-T passwords stored in SDDC Manager must be used to reset the manager and/or edge passwords.
Steps for the NSX-T Managers
Only needs to be performed on one manager per cluster.
/etc/init.d/nsx-mp-api-server stop
echo "" >/etc/security/opasswd
passwd
passwd admin
passwd audit
touch /var/vmware/nsx/reset_cluster_credentials
/etc/init.d/nsx-mp-api-server start
For VCF versions 4.3.0.0 up till 5.0.0.1, use:
pam_tally2 -u root -r
pam_tally2 -u admin -r
pam_tally2 -u audit -r
For VCF versions starting from VCF 5.1.0.0, use:
/usr/sbin/faillock --user root --reset
/usr/sbin/faillock --user admin --reset
/usr/sbin/faillock --user audit --reset
8. Retry the credential operation from the SDDC Manager UI.
/etc/init.d/nsx-edge-api-server stop
echo "" >/etc/security/opasswd
passwd
passwd admin
passwd audit
touch /var/vmware/nsx/reset_cluster_credentials
/etc/init.d/nsx-edge-api-server start
pam_tally2 -u root -r
pam_tally2 -u admin -r
pam_tally2 -u audit -r
For VCF versions starting from VCF 5.1.0.0, use:
/usr/sbin/faillock --user root --reset
/usr/sbin/faillock --user admin --reset
/usr/sbin/faillock --user audit --reset
8. Retry the credential operation from the SDDC Manager UI.
clear user admin password-expiration
clear user root password-expiration
clear user audit password-expiration
Check with the following command to ensure the passwords got changed on the manager(s):
chage -l root
chage -l admin
chage -l audit
curl http://localhost/locks | json_pp > releaseLock.json
curl -X PUT -H "Content-Type:application/json" http://localhost/locks -d @releaseLock.json
2021-04-09T13:41:44.830+0000 INFO [vcf_lcm,0000000000000000,0000,precheckId=########-####-####-####-25e8fb993243,resourceType=NSX_T,resourceId=nsx.test.local] [c.v.e.s.l.p.i.nsxt.NsxtPrimitiveImpl,pool-3-thread-49] Completed precheck task NSX_T_PASSWORD_VALIDITY_CHECK on resource id nsx.test.local with status RED
get user admin password-expiration
" on NSX-T Manager may show as "Password expiration not configured for this user
".
set user admin password-expiration 9999
" (as admin)chage -M 9999 root
(as root)set auth-policy api lockout-period 0 && set auth-policy api lockout-reset-period 0