**Note for vCenter 7.0 and 8.0:** To determine whether this process is necessary, use the `vmdir_tool.py` utility as described in *Using vmdir_tool.py to identify vmdir/ELM replication inconsistencies*. This process should only be performed if the Bind DN object is the **only** inconsistency reported by the tool. Running it on other objects, such as the 'Domain Controller' account, may cause *vmdir* to become read-only.
vmdird-syslog.log
file, the following entries "error 49
" may be observed:[YYYY-MM-DDTHH:MM:SS] err vmdird t@###########: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)
[YYYY-MM-DDTHH:MM:SS] err vmdird t@###########: VmDirSendLdapResult: Request (96), Error (49), Message ((49)(SASL step failed.)), (0) socket ([17] x.x.x.x :389<-xxx.xx.xxx.xxx:54753)
[YYYY-MM-DDTHH:MM:SS] err vmdird t@###########: Bind Request Failed ([17] x.x.x.x:389<-x.x.x.x:54753) error 49: Protocol version: 3, Bind DN: "cn=accountname,ou=Computers,dc=vsphere,dc=local", Method: 163
cn=FQDN.local,ou=Domain Controllers,dc=vsphere,dc=loca
l"`[YYYY-MM-DDTHH:MM:SS] err vmdird t@#############: Bind Request Failed ([17] x.x.x.x :389<-x.x.x.x:54753) error 49: Protocol version: 3, Bind DN: "cn=FQDN.local,ou=Computers,dc=vsphere,dc=local", Method: 163
Then FQDN.local
would be the affected account.
vsphere.local
FQDN.local@vsphere.local
Note: The vmdird-syslog.log file
is located at:
For vCenter Server Appliance with embedded Platform Services Controller(PSC): /var/log/vmware/vmdird/vmdird-syslog.log
For Windows installed vCenter Server with embedded Platform Services Controller(PSC): "%VMWARE_LOG_DIR%"\vmdird\vmdir.log
Note: The vmdir log is not present in vCenter's that do not have an embedded PSC.
Note: From 6.5 onwards inventory services is not available, For LDAP errors see /var/log/vmware/sso/vmware-sts-idmd.log
or /var/log/vmware/vmdird/vmdird-syslog.log
Replication can be checked using the command (must be run on each VC/PSC in the SSO domain to accurately reflect the situation):
# /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator
If a partner is changes behind, review the vmdird-syslog.log
of both nodes for ldap 49 errors
against those machines.
VMware VCenter server
This issue arises when a machine loses trust due to a password mismatch in *vmdird
* for the account referenced in the *vmdird-syslog.log
* file.
Such mismatches typically occur if the vCenter Server or PSC has been restored from an older backup or snapshot.
vmdird-syslog.log
* file.1) Reset the machine account password manually:
vdadmintool
correct default settings in the SSO password policies are required, VMware currently does not support to set the maximum password length above 20 characters. ldap 49
error in it's vmdird-syslog.log
with an SSH session and root credentials.# shell.set –enabled true
shell
and press Enter.vdcadmintool
:# /usr/lib/vmware-vmdir/bin/vdcadmintool
Please select:
0. exit
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
vmdird-syslog.log
file.FQDN@SSO Domain
.FQDN@vsphere.local
& (ampersand)
; (semicolon)
" (double quotation mark)
' (single quotation mark)
^ (circumflex)
\ (backslash)
% (percentage)
# shell.set –enabled true
shell
and press Enter.# /opt/likewise/bin/lwregshell
# cd HKEY_THIS_MACHINE\services\vmdir\
# set_value dcAccountPassword "new password"
# quit
For Windows installed vCenter Server:
%VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe
Please select:
0. exit
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
vmdir.log
file.FQDN@SSO Domain
.FQDN@vsphere.local
regedit
.HLKM\System\CurrentControlset\Services\VMwareDirectoryService\ location
.dcAccountPassword
.
2) Reset machine account password using dir-cli (versions 6.5 onwards):
Note: Ensure offline snapshots of all vCenter's and PSCs are in place before running. This means to power off all vCenters and PSCs in the SSO domain, login to the ESXi hosts they're placed on and snapshot them when down. If reverting, revert all machines before powering any on. This is to ensure consistency in the SSO domain.
Appliance:
vmdird-syslog.log
as root
user via SSH# shell.set –enabled true
shell
and press Enter.Platform Services Controller FQDN
> is the FQDN of the vCenter with embedded PSC or PSC of the machine with the error 49
in it's vmdird-syslog.log
:# /usr/lib/vmware-vmafd/bin/dir-cli computer password-reset --login administrator --live-dc-hostname <Platform Services Controller FQDN> --password '<administrator@vsphere.local password>'
vmdir.log
Platform Services Controller FQDN
> is the FQDN of the vCenter with embedded PSC or PSC of the machine with the error 49
in it's vmdir.log
:%VMWARE_CIS_HOME%\vmafdd\dir-cli.exe computer password-reset --login administrator --live-dc-hostname <Platform Services Controller FQDN> --password <administrator@vsphere.local password>
3) Reset machine account password using shell script (Appliance only)
4) Reset using reset_machine_pw.sh shell script (Built in for version 7.0 only)
root
user and type shell
to access the bash shell# /usr/lib/vmware-vmdir/vmdir-tool/reset_machine_pw.sh