Unable to log in to the vCenter Server Appliance shell using root account after password reset (OR) Password keeps getting Locked out
Article ID: 343642
Updated On:
Products
VMware vCenter Server
VMware vCenter Server 7.0
VMware vCenter Server 8.0
Issue/Introduction
This article provides steps to resolve login issues to the vCenter Server Appliance shell using the root account after a password reset.
For root password reset instructions see:
- Reset the root password in vCenter Server Appliance without reboot / 6.7u1 / 7.x / 8.x
- Resetting root password in vCenter Server Appliance 6.5 / 6.7 / 7.x / 8.x
Symptoms (Could be one of the below):
- Login attempt using SSH fails with Login incorrect or Access denied
- On the VM Console, after entering the password you are re-directed to the login screen without an error.
- Resetting the root password did not solve the situation.
- Resetting the root password again fails and locks out after some time with the below errors
Password change attempt for the root account Log Message :- password changed for root YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: pam_unix(sudo:account): account sso-user has expired (failed to change password) YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: sso-user : TTY=pts/1 ; PWD=/var/lib/sso-user ; USER=root ; COMMAND=/usr/bin/passwd root YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: pam_unix(sudo:session): session opened for user root(uid=0) by sso-user(uid=65536) YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> passwd[1541160] pam_unix(passwd:chauthtok): password changed for root YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: pam_unix(sudo:session): session closed for user root Password getting expired with a short span of time (In some cases less than 2 minutes) :- Error message :- account sso-user has expired (failed to change password) YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: pam_unix(sudo:account): account sso-user has expired (failed to change password) YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: sso-user : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/appliancesh YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: pam_unix(sudo:session): session opened for user root(uid=0) by sso-user(uid=65536) YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: pam_unix(sudo:session): session closed for user root YEAR-MONTH-DATE:TIME:XX.XXXXXX+00:00 <vcenter name> sudo: pam_unix(sudo:account): account sso-user has expired (failed to change password)
Environment
VMware vCenter Server Appliance 6.x
VMware vCenter Server Appliance 7.x
VMware vCenter Server Appliance 8.x
Resolution
Prerequisite: Make sure to have a full backup or a snapshot of the vCenter Appliance before you proceed with the steps below:
If the vCenter is part of ELM then make sure that the
- Verify the "/etc/passwd" file value for root:
cat /etc/passwd |& grep root - The output should match the below; if not vim and correct the same.
root:x:0:0:root:/root:/bin/bash
For example:
Note: Correct the login shell if found as incorrect
- Verify the useradd defaults:
cat /etc/default/useradd |& grep SHELL - The output should match the below; if not vim and correct the same.
SHELL=/bin/appliancesh - pam_tally2 check for user status
pam_tally2 --user=root
NOTE:- For vcenter 8.0 U2 onwards use below
/usr/sbin/faillock --user root - If the above return that the account is locked; use below command and reset the account
pam_tally2 --user=root --reset OR /usr/sbin/faillock --user root --reset (According to the vCenter version Available) - Again verify the account status with below command
pam_tally2 --user=root OR /usr/sbin/faillock --user root (According to the vCenter version Available) - Verify the shadow file details:
chage -l root - Reboot the vCenter system
- Verify the changes done as part of "steps 1 to 6"
- If the changes are not reflected; repeat the "steps 1 to 9"
- Verify the root login
Feedback
Yes
No
Powered by
