PNID Change failing with " Failed to reset machine account "
Article ID: 324593
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- PNID change fails at 75% with "Failed to reset machine account" error
- PNID change is performed from shortname to fqdn
- PNID change is performed by appending something to the old pnid.
- In the /var/log/vmware/applmgmt/pnid_change.log, you will find entries similar to:
[YYYY-MM-DDTHH:MM:SS] - pnid_utils-run_command():81 - INFO - Running command: /usr/lib/vmware-vmdir/bin/vdcresetMachineActCred -u administrator[YYYY-MM-DDTHH:MM:SS] - pnid_utils-run_command():99 - INFO - Command exited with exitcode : 32[YYYY-MM-DDTHH:MM:SS] - pnid_utils-run_command():101 - WARNING - Command failed with following error:[YYYY-MM-DDTHH:MM:SS] - pnid_utils-run_command():102 - WARNING - b'password: \n'[YYYY-MM-DDTHH:MM:SS] - pnid_utils-run_command():109 - INFO - Done running command[YYYY-MM-DDTHH:MM:SS] - pnid_utils-restart_services():1595 - ERROR - password:[YYYY-MM-DDTHH:MM:SS] - pnid_utils-update_task_status():1441 - INFO - Task : Failed to reset machine account.- In the vmdir logs at /var/log/vmware/vmdird/vmdird-syslog.log, you will find entries similar to:
[YYYY-MM-DDTHH:MM:SS] info vmdird Starting VMware Directory Servicedone[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614706702080: _VmDirCpMdbFile: making database snapshot with file size 146Mb; will take approximate 2 seconds; 0 updates occurred since last snapshot.[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614681523968: VmDirUpdateDCNameToLocalNode - PNID: (Vcenter-FQDN)[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614689916672: VmDirUpdateDCNameToLocalNode - PNID: (Vcenter-FQDN)[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614681523968: VmDirUpdateDCNameToLocalNode - pszDCName: (Vcenter-FQDN)[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614681523968: Successfully notified VMAFD to update DC Name to local node[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614689916672: VmDirUpdateDCNameToLocalNode - pszDCName: (Vcenter-FQDN)[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614689916672: Successfully notified VMAFD to update DC Name to local node[YYYY-MM-DDTHH:MM:SS] err vmdird t@139614673131264: VmDirSRPGetIdentityData (Vcenter-FQDN) failed, (9106)[YYYY-MM-DDTHH:MM:SS] err vmdird t@139614673131264: VmDirSRPGetIdentityData ([email protected]) failed, (9106)[YYYY-MM-DDTHH:MM:SS] err vmdird t@139614673131264: SASLSessionStart: sasl error (-20)(SASL(-13): user not found: no secret in database)[YYYY-MM-DDTHH:MM:SS] err vmdird t@139614673131264: VmDirSendLdapResult: Request (Bind), Error (LDAP_INVALID_CREDENTIALS(49)), Message ((49)(SASL start failed.)), (0) socket (127.0.0.1)[YYYY-MM-DDTHH:MM:SS] err vmdird t@139614673131264: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "", Method: SASL[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614673131264: Init Sid cache (dc=vsphere,dc=local) RID (8595)[YYYY-MM-DDTHH:MM:SS] info vmdird t@139614673131264: MOD 1,rep,userPassword: (###)[YYYY-MM-DDTHH:MM:SS] err vmdird t@139614673131264: InternalModifyEntry: VdirExecutePostModifyCommitPlugins - code(9703)[YYYY-MM-DDTHH:MM:SS] err vmdird t@139614673131264: VmDirSendLdapResult: Request (Modify), Error (LDAP_NO_SUCH_OBJECT(32)), Message ( read entry (cn=Vcenter-FQDN,ou=domain controllers,dc=vsphere,dc=local) failed), (0) socket (127.0.0.1)Environment
VMware vCenter Server 7.x
VMware vCenter Server 8.x
VMware vCenter Server 8.x
Cause
- In certain scenarios, the new pnid which gets updated in the registry as part of pnid change workflow will be incorrect. The workflow later performs a machine account reset with this incorrect pnid and fails with the above error.
- This issue can also occur if vmdir is in read-only mode at the time of machine account reset. If this is the case, refer kb: https://knowledge.broadcom.com/external/article/324595/changing-the-vcenter-fqdn-fails-due-to-l.html
Pnid change in the following scenarios will cause this issue:
- Performing a pnid change from shortname to fqdn:
Lets take an example where the current pnid is vcenter(shortname) and domain is example.com. Performing a pnid change from vcenter to vcenter.vmware.com will result in an incorrect pnid(vcenter.example.com.example.com) getting updated in the registry.
- Performing a pnid change by appending something to the old pnid name:
In this example the current pnid is vcenter.example.com and the new pnid is prod-vcenter.example.com. Performing a pnid change will update prod-prod-vcenter.exampl.com in the registry which is incorrect.
Resolution
Contact VMware Support for assistance - https://support.broadcom.com/web/ecx/contact-support
Feedback
Yes
No
Powered by
