The vmware-stsd service fails to start due to multiple machine accounts with the same sAMAccountName
Article ID: 326207
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- After changing the Primary Network Identifier (PNID), the vmware-stsd service fails to start
- The /var/log/vmware/sso/vmware-identity-sts.log has entries similar to the following (where vcsa1.vmware.com is the hostname of the vCenter server):
- After changing the Primary Network Identifier (PNID), the vmware-stsd service fails to start
- The /var/log/vmware/sso/vmware-identity-sts.log has entries similar to the following (where vcsa1.vmware.com is the hostname of the vCenter server):
2021-09-01T15:50:22.548Z ERROR sts[77:tomcat-http--30] [CorId=986489b6-5756-4461-9fff-59fdc3dfb77a] [com.vmware.identity.idm.server.IdentityManager] Failed to get attributes for principal [[email protected]] in tenant [vsphere.local]
2021-09-01T15:50:22.548Z ERROR sts[77:tomcat-http--30] [CorId=986489b6-5756-4461-9fff-59fdc3dfb77a] [com.vmware.identity.idm.server.ServerUtils] Exception 'java.lang.IllegalStateException:
Internal error : duplicate entries were found'
java.lang.IllegalStateException: Internal error : duplicate entries were found
Environment
VMware vCenter Server 7.0.x
Cause
This is caused by the original machine account entry in VMware Directory not being removed during a PNID change, and more than one machine account has the same value for the sAMAccountName attribute.
Resolution
Remove the machine account with the old DN value from ou=Domain Controllers,dc=vsphere,dc=local, and also check to see if there are still entries for the old name under cn=Servers,cn=[Site Name],cn=Sites,cn=Configuration,dc=vsphere,dc=local
Refer to https://kb.vmware.com/s/article/2077170 (Steps 1-2 to configure the connection) to connect to the vCenter server with jXplorer. Expand the Domain Controllers OU and verify if there is an entry for the old PNID of the vCenter. Alternatively, you can select each entry, then select the Table Editor tab in the main window to see the entry's attributes. If there are two entries with the same sAMAccountName value, this will cause the vmware-stsd service to fail to start.
To remove the old entry, select it, right-click, and choose Delete.
There may also be entries under Sites > [Site Name] > Servers referring to the old vCenter PNID, which can also be deleted (the Replication Agreements and any ldapuri:// child entries will need to be removed first).
You can get a list of the machine account entries with the following commands:
Here we see there are two accounts with the same sAMAccountName. Assuming the current PNID is vcsa70.vmware.com, we can remove the other entry with:
Using jXplorer
Refer to https://kb.vmware.com/s/article/2077170 (Steps 1-2 to configure the connection) to connect to the vCenter server with jXplorer. Expand the Domain Controllers OU and verify if there is an entry for the old PNID of the vCenter. Alternatively, you can select each entry, then select the Table Editor tab in the main window to see the entry's attributes. If there are two entries with the same sAMAccountName value, this will cause the vmware-stsd service to fail to start.
To remove the old entry, select it, right-click, and choose Delete.
There may also be entries under Sites > [Site Name] > Servers referring to the old vCenter PNID, which can also be deleted (the Replication Agreements and any ldapuri:// child entries will need to be removed first).
Using the Command Line
You can get a list of the machine account entries with the following commands:
# SSO_DOMAIN_DN="dc=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost | sed -e 's/\./,dc=/g')"; ldapsearch -LLL -h localhost -b "ou=Domain Controllers,$SSO_DOMAIN_DN" -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" sAMAccountName -W
Enter LDAP Password:
dn: ou=Domain Controllers,dc=vsphere,dc=local
dn: cn=10.20.1.70,ou=Domain Controllers,dc=vsphere,dc=local
sAMAccountName: vcsa70.vmware.com
dn: cn=vcsa70.vmware.com,ou=Domain Controllers,dc=vsphere,dc=local
sAMAccountName: vcsa70.vmware.com
Here we see there are two accounts with the same sAMAccountName. Assuming the current PNID is vcsa70.vmware.com, we can remove the other entry with:
# ldapdelete -h localhost -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" -W "cn=10.20.1.70,ou=Domain Controllers,dc=vsphere,dc=local"
Additional Information
Impact/Risks:
As with any operation that modifies the VMware Directory instance, offline snapshots of all vCenters in the SSO domain are required.
As with any operation that modifies the VMware Directory instance, offline snapshots of all vCenters in the SSO domain are required.
Feedback
Yes
No
Powered by
