The vmware-stsd service fails to start due to multiple machine accounts with the same sAMAccountName
search cancel

The vmware-stsd service fails to start due to multiple machine accounts with the same sAMAccountName

book

Article ID: 326207

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

 - After changing the Primary Network Identifier (PNID), the vmware-stsd service fails to start
 - The /var/log/vmware/sso/vmware-identity-sts.log has entries similar to the following (where vcsa.example.com is the hostname of the vCenter server):

YYYY-MM-DDTHH:MM:SS ERROR sts[77:tomcat-http--30] [CorId=########-####-####-####-########b77a] [com.vmware.identity.idm.server.IdentityManager] Failed to get attributes for principal [[email protected]] in tenant [vsphere.local]
YYYY-MM-DDTHH:MM:SS ERROR sts[77:tomcat-http--30] [CorId=########-####-####-####-########b77a] [com.vmware.identity.idm.server.ServerUtils] Exception 'java.lang.IllegalStateException:
Internal error : duplicate entries were found'
java.lang.IllegalStateException: Internal error : duplicate entries were found





Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

This is caused by the original machine account entry in VMware Directory not being removed during a PNID change, and more than one machine account has the same value for the sAMAccountName attribute.

Resolution

Remove the machine account with the old DN value from ou=Domain Controllers,dc=vsphere,dc=local, and check to see if there are still entries for the old name under cn=Servers,cn=[Site Name],cn=Sites,cn=Configuration,dc=vsphere,dc=local


Using JXplorer

  1. Refer to How to export VMDir information from vCenter Server using the JXplorer utility (steps 1-3 to configure the connection) to connect to the vCenter server with JXplorer.

  2. Expand the Domain Controllers OU and verify if there is an entry for the old PNID of the vCenter. Alternatively, select each entry, then select the Table Editor tab in the main window to see the entry's attributes. If there are two entries with the same sAMAccountName value, this will cause the vmware-stsd service to fail to start.

  3. To remove the old entry, select it, right-click, and choose Delete.

  4. There may also be entries under Sites > [Site Name] > Servers referring to the old vCenter PNID, which can also be deleted (the Replication Agreements and any ldapuri:// child entries will need to be removed first).


Using the Command Line


To get a list of the machine account entries use the following commands:

# SSO_DOMAIN_DN="dc=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost | sed -e 's/\./,dc=/g')"; ldapsearch -LLL -h localhost -b "ou=Domain Controllers,$SSO_DOMAIN_DN" -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" sAMAccountName -W

Enter LDAP Password:
dn: ou=Domain Controllers,dc=vsphere,dc=local

dn: cn=10.20.1.70,ou=Domain Controllers,dc=vsphere,dc=local
sAMAccountName: vcsa.example.com

dn: cn=vcsa.example.com,ou=Domain Controllers,dc=vsphere,dc=local
sAMAccountName: vcsa.example.com


Here we see there are two accounts with the same sAMAccountName. Assuming the current PNID is vcsa.example.com, we can remove the other entry with:

# ldapdelete -h localhost -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" -W "cn=10.20.1.70,ou=Domain Controllers,dc=vsphere,dc=local"



Additional Information

Impact/Risks:
As with any operation that modifies the VMware Directory instance, offline snapshots of all vCenters in the SSO domain are required.