Symptoms:
All authentication fails until reboot (likewise deadlock).
Authentication is intermittently slow due to likewise agents hanging for 1-5 minutes.
Root logins to the console or SSH may fail.
A large amount of open policy failures occur in the
messages.log (
/var/log/vmware/messages):
2020-11-13T01:54:22.917228+00:00 lsassd[1421]: 0x7f3956495700:[AD_NetLookupObjectSidByName() ../lsass/server/auth-providers/ad-open-provider/adnetapi.c:414] Failed to find user, group, or domain by name (name = '[email protected]', searched host = 'DC.domain.com') -> error = 40098, symbol = LW_ERROR_RPC_OPENPOLICY_FAILED
The vmware-identity-sts.log (/var/log/vmware/sso) stops logging until reboot. For example:
In the below reference, stsd stops logging at 2020-10-25T11:11:47.564Z and continues after reboot at 2020-10-25T12:09:13.074Z.
[2020-10-25T11:11:47.564Z tomcat-http--151 vsphere.local f164da31-2dca-4719-af50-429ada9433f1 INFO com.vmware.identity.sts.ws.handlers.SOAPHeadersExtractor] Found 1 {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security headers
[2020-10-25T12:09:13.074Z tomcat-http--14 WARN com.sun.xml.ws.transport.http.HttpAdapter] Received WS-I BP non-conformant Unquoted SoapAction HTTP header: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue