ESXi Credential task fails with error, "pam_passwdqc:Error parsing parameter"
search cancel

ESXi Credential task fails with error, "pam_passwdqc:Error parsing parameter"

book

Article ID: 327182

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware vSphere ESXi

Issue/Introduction





You see a similar error in the operationsmanager.log

/var/log/vmware/vcf/operationsmanager/operationsmanager.log

YYYY-MM-DDTHH:MM:SS ERROR [vcf_om,5cec44d36dae81fd,f46c] [c.v.v.p.u.c.AbstractPasswordChanger,om-exec-4] A general system error
 occurred: pam_passwdqc: Error parsing parameter "Incorrect.EntryValueField": Invalid parameter. *** passwd: Critical error - immediate abort
YYYY-MM-DDTHH:MM:SS ERROR [vcf_om,5cec44d36dae81fd,f46c] [c.v.v.p.u.c.AbstractPasswordChanger,om-exec-4] A general system error
 occurred: pam_passwdqc: Error parsing parameter "Incorrect.EntryValueField": Invalid parameter. *** passwd: Critical error - immediate abort
com.vmware.vcf.passwordmanager.exception.PasswordUpdateException: A general system error occurred: pam_passwdqc: Error parsing parameter
org.springframework.cloud.sleuth.instrument.async.TraceCallable.call(TraceCallable.java:67)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: com.vmware.vim.binding.vmodl.fault.SystemError: A general system error occurred: pam_passwdqc: Error parsing parameter "Incorrect.EntryValueField": Invalid parameter. *** passwd: Critical error - immediate abort

Environment

VMware Cloud foundation

VMware vSphere ESXi

Cause

An incorrect value was entered in the Security.PasswordQualityControl field under the ESXi Advance System Settings. This value changed when hardening the password parameters on the ESXi hosts.

Reference : vSphere Security


In this example the Incorrect.EntryValueField is an invalid flag and causing the issue. 

Resolution

Issue is fixed in VCF 5.x.

Additional checking logic is implemented when updating the Security.PasswordQualityControl field.

Workaround:

1. Remove the incorrect entry from the Security.PasswordQualityControl field in the Advance System Settings on the ESXi host(s)
2. Retry the credential task from the SDDC UI. 

In some instances the invalid entry can cause the ESXi root and service account passwords to be out of sync with SDDC or expired. If this occurs you will have to manually change the password on the ESXi host and then run a remediate with the new passwords from SDDC. 

Additional Information

Powered by Wolken Software