Changing PNID from short name to FQDN fails with an error "Failed to reset machine account"
Article ID: 324591
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Changing PNID from short name to FQDN fails with error "Failed to reset machine account".
- If we change PNID from 'vcenter' to 'vcenter.domain.com', the change fails.
- At initial stage, the change may fail with "Failed to add CN entries".
- In the /var/log/vmware/applmgmt/pnid_change.log, you may find entries similar to:
yyyy-mm-dd hh:mm:ss - pnid_utils-run_command():81 - INFO - Running command: /usr/lib/vmware-vmdir/bin/vdcresetMachineActCred -u administrator
yyyy-mm-dd hh:mm:ss - pnid_utils-run_command():99 - INFO - Command exited with exitcode : 32
yyyy-mm-dd hh:mm:ss - pnid_utils-run_command():101 - WARNING - Command failed with following error:
yyyy-mm-dd hh:mm:ss - pnid_utils-run_command():102 - WARNING - b'password: \n'
yyyy-mm-dd hh:mm:ss - pnid_utils-run_command():109 - INFO - Done running command
yyyy-mm-dd hh:mm:ss - pnid_utils-restart_services():1598 - ERROR - password:
yyyy-mm-dd hh:mm:ss - pnid_utils-update_task_status():1444 - INFO - Task : Failed to reset machine account.
- In the /var/log/vmware/vmdird/vmdird-syslog.log, you may find entries similar to:
yyyy-mm-dd hh:mm:ss err vmdird t@140291113727744: VmDirSendLdapResult: Request (Bind), Error (LDAP_INVALID_CREDENTIALS(49)), Message ((49)(SASL start failed.)), (0) socket (127.0.0.1)
yyyy-mm-dd hh:mm:ss err vmdird t@140291113727744: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "", Method: SASL
yyyy-mm-dd hh:mm:ss err vmdird t@140291113727744: VmDirSRPGetIdentityData ([email protected]) failed, (9106)
yyyy-mm-dd hh:mm:ss err vmdird t@140291113727744: VmDirSRPGetIdentityData ([email protected]) failed, (9106)
yyyy-mm-dd hh:mm:ss err vmdird t@140291113727744: SASLSessionStart: sasl error (-20)(SASL(-13): user not found: no secret in database)
OR
yyyy-mm-dd hh:mm:ss err vmdird t@140424601650944: InternalModifyEntry: VdirExecutePostModifyCommitPlugins - code(9703)
yyyy-mm-dd hh:mm:ss err vmdird t@140424601650944: VmDirSendLdapResult: Request (Modify), Error (LDAP_NO_SUCH_OBJECT(32)), Message (read entry (cn=vcenter.domain.com.domain.com,ou=domain controllers,dc=example,dc=com) failed), (0) socket (127.0.0.1)
yyyy-mm-dd hh:mm:ss err vmdird t@140424601650944: VmDirSRPGetIdentityData (vcenter.example.com.example.com) failed, (9106)
yyyy-mm-dd hh:mm:ss err vmdird t@140424601650944: VmDirSRPGetIdentityData (vcenter.example.com.example.com) failed, (9106)
yyyy-mm-dd hh:mm:ss err vmdird t@140424601650944: SASLSessionStart: sasl error (-20)(SASL(-13): user not found: no secret in database)
yyyy-mm-dd hh:mm:ss err vmdird t@140424601650944: VmDirSendLdapResult: Request (Bind), Error (LDAP_INVALID_CREDENTIALS(49)), Message ((49)(SASL start failed.)), (0) socket (127.0.0.1)
yyyy-mm-dd hh:mm:ss err vmdird t@140424601650944: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "", Method: SASL
Environment
VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 7.0.x
Cause
- The PNID change workflow doubles up the domain in the FQDN.
- From the vmdird logs we can see the new PNID as
"vcenter.domain.com.domain.com"which is incorrect.
Resolution
This is a known issue with PNID change workflow. Engineering is aware of this and will be working on code changes to handle this situation correctly
Ensure a proper backup/snapshot of the vCenter prior to following the below steps.
Workaround:
To workaround this issue, we need to perform the PNID change twice:
- The DNS records must be updated prior to changing the FQDN.
- Change the PNID to another FQDN eg. appliance.vmware.com. (The PNID should be unique)
- Reboot the vCenter. (Reboot is must to update the Likewise registry)
- Edit the DNS records again to desired FQDN.
- Change the PNID to desired FQDN.
Feedback
Yes
No
Powered by
