- After changing the Primary Network Identifier (PNID), the vmware-stsd service fails to start
- The /var/log/vmware/sso/vmware-identity-sts.log
has entries similar to the following (where vcsa.example.com is the hostname of the vCenter server):
YYYY-MM-DDTHH:MM:SS ERROR sts[77:tomcat-http--30] [CorId=########-####-####-####-########b77a] [com.vmware.identity.idm.server.IdentityManager] Failed to get attributes for principal [[email protected]] in tenant [vsphere.local]
YYYY-MM-DDTHH:MM:SS ERROR sts[77:tomcat-http--30] [CorId=########-####-####-####-########b77a] [com.vmware.identity.idm.server.ServerUtils] Exception 'java.lang.IllegalStateException:
Internal error : duplicate entries were found'
java.lang.IllegalStateException: Internal error : duplicate entries were found
Remove the machine account with the old DN value from ou=Domain Controllers,dc=vsphere,dc=local
, and check to see if there are still entries for the old name under cn=Servers,cn=[Site Name],cn=Sites,cn=Configuration,dc=vsphere,dc=local
To get a list of the machine account entries use the following commands:
# SSO_DOMAIN_DN="dc=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost | sed -e 's/\./,dc=/g')"; ldapsearch -LLL -h localhost -b "ou=Domain Controllers,$SSO_DOMAIN_DN" -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" sAMAccountName -W
Enter LDAP Password:
dn: ou=Domain Controllers,dc=vsphere,dc=local
dn: cn=10.20.1.70,ou=Domain Controllers,dc=vsphere,dc=local
sAMAccountName: vcsa.example.com
dn: cn=vcsa.example.com,ou=Domain Controllers,dc=vsphere,dc=local
sAMAccountName: vcsa.example.com
Here we see there are two accounts with the same sAMAccountName. Assuming the current PNID is vcsa.example.com, we can remove the other entry with:
# ldapdelete -h localhost -D "cn=administrator,cn=users,$SSO_DOMAIN_DN" -W "cn=10.20.1.70,ou=Domain Controllers,dc=vsphere,dc=local"