VMware engineering is aware of this issue and is working to resolve it. The fix version will be provided here once available.
Workaround:
- The first step to correct this condition is to ensure the roles aren't missing from VMDIR. Use the following KB to add the roles back to VMDIR: Manually Synchronize WCP Roles
- If the output of the /usr/lib/vmware-wcp/py-modules/roles.py script in the above KB returns ALL users indicating "already exists", the user is present, but is misnamed. . Example output:
```
2023-03-05T02:12:24.076Z Role id 1004, name WorkloadStorageManagement - already exists\n
2023-03-05T02:12:24.086Z Role id 1005, name vSphereKubernetesManager - already exists\n
2023-03-05T02:12:24.093Z Role id 1007, name SupervisorServiceCluster - already exists\n
2023-03-05T02:12:24.103Z Role id 1008, name SupervisorServiceRootFolder - already exists\n
2023-03-05T02:12:24.111Z Role id 1009, name SupervisorServiceGlobal - already exists\n
2023-03-05T02:12:24.120Z Role id 1021, name VMOperatorController - already exists\n
2023-03-05T02:12:24.127Z Role id 1022, name VMOperatorControllerGlobal - already exists\n
2023-03-05T02:12:24.137Z Role id 0, name VMServicesAdministrator - already exists\n
2023-03-05T02:12:24.148Z Role id 0, name NsxAuditor - already exists\n
2023-03-05T02:12:24.154Z Role id 0, name NsxViAdministrator - already exists\n
2023-03-05T02:12:24.176Z Role id 0, name NsxAdministrator - already exists\n'
```
- Use the following process to identify misnamed Roles in VMDIR:
1. Gather LDIF export and grep for vmwAuthzRoleName
# /opt/likewise/bin/ldapsearch -v -h localhost -p 389 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -w 'SSO_PASSWORD' -b "dc=vsphere,dc=local" -s sub | grep vmwAuthzRoleName
EXAMPLE OUTPUT:
vmwAuthzRoleName: NsxAdministrator
vmwAuthzRoleName: VMOperatorController
vmwAuthzRoleName: VMOperatorControllerGlobal
vmwAuthzRoleName: Workload Storage Management
vmwAuthzRoleName: NsxAuditor
vmwAuthzRoleName: SupervisorServiceCluster
vmwAuthzRoleName: NsxViAdministrator
vmwAuthzRoleName: SupervisorServiceRootFolder
vmwAuthzRoleName: SupervisorServiceGlobal
vmwAuthzRoleName: VMServicesAdministrator
vmwAuthzRoleName: vSphereKubernetesManager
NOTE: This list has been truncated for readability
2. Compare output from Step1 with below expected output:
WorkloadStorageManagement
vSphereKubernetesManager
SupervisorServiceCluster
SupervisorServiceRootFolder
SupervisorServiceGlobal
VMOperatorController
VMOperatorControllerGlobal
VMServicesAdministrator
NsxAuditor
NsxViAdministrator
NsxAdministrator
- Once the misnamed Roles have been identified, delete the problem roles from the vSphere Web Client: Menu > Administration > Roles, select the problem role and click Delete.
- Once problem roles have been removed, add them back using the steps noted in KB Manually Synchronize WCP Roles
- After adding roles back to VMDIR, restart WCP service to add required users back to roles:
# service-control --restart wcp