Cannot log in to the ESXi host using Active Directory domain credentials
search cancel

Cannot log in to the ESXi host using Active Directory domain credentials

book

Article ID: 339929

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

After an ESXi host is added to the domain successfully, you experience these symptoms:

  • Attempting to log in to the ESXi host using the Active Directory (AD) domain credentials fails.

  • Restarting the lsassd services by running the /etc/init.d/lsassd restart command resolves the issue temporarily.

  • In the /var/log/lsassd.log file, you see entries similar to:

    lsassd[17097]: 0x3a31fb90:Failed to find group by name (name = 'DOMAIN\esx^admins') -> error = 40005, symbol = LW_ERROR_OUT_OF_MEMORY, client pid = 1290138 sfcb-CIMXML-Processor[1290138]: pam_access(sfcb:auth): access denied for user `DOMAIN\group' from `sfcb' lsassd[17097]: 0x3a30eb90:Failed to authenticate user (name = 'DOMAIN\group') -> error = 40047, symbol = LW_ERROR_KRB5_CALL_FAILED, client pid = 1290138 sfcb-CIMXML-Processor[1290138]: [module:pam_lsass]pam_sm_authenticate error [login:DOMAIN\group][error code:40047] Unknown: out of memory [17097]

    For more information on setting up logging of the likewise agent, see Enabling logging for Likewise agents on ESXi/ESX (1026554).

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.  

     


Environment

VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.5

Cause

This issue occurs when the likewise agent exceeds the allocated amount of memory. By default, the likewise agent has 25MB of memory allocated, while the memory cache cap is set to unlimited.

Resolution

lsassd.confIn the vSphere Client, select the ESXi host.
  • Click the Configuration tab.
  • Click Authentication Services.
  • Click Properties.
  • Change the Select Directory Service Type to Local Authentication.
  • Click OK.
  • Connect to the ESXi host using SSH. For more information, see Using ESXi Shell in ESXi 5.x (2004746).
  • Run this command to stop the lsassd services:

    /etc/init.d/lsassd stop
  • Open the /etc/likewise/lsassd.conf file using a text editor. For more information, see Editing configuration files in VMware ESXi and ESX (1017022).
  • # at the beginning of the memory-cache-size-cap and change the value to 10485760. The entry resembles to:

    lsassd services:

    /etc/init.d/lsassd start
  • Add the host back to the domain.


Additional Information

Editing configuration files in VMware ESXi and ESX
Enabling logging for Likewise agents on ESXi/ESX
Using ESXi Shell in ESXi 5.x and 6.x
Active Directory ドメインのアカウントを使用して ESXi ホストにログインすることができない

Powered by Wolken Software