Fixing missing SSO Group Memberships for vSphere Solution Users with the solution_users_fixer script
search cancel

Fixing missing SSO Group Memberships for vSphere Solution Users with the solution_users_fixer script

book

Article ID: 344916

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This script checks and fixes the default internal solution user and service account group memberships in vCenter. The python version of this script is designed to work for all versions of vCenter 7.x and 8.x.
For vCenter 6.x, use the older bash version.

Currently, it works on the the following users.

  • hvc-<machine-id>
  • vpxd-<machine-id>
  • machine-<machine-id>
  • workload_storage_management-<machine-id>
  • autodeploy-<machine-id>
  • vmware-scaservice-<machine-id>
  • vsphere-webclient-<machine-id>
  • certificateauthority-<machine-id>
  • vmware-applmgmtservice-<machine-id>
  • topologysvc-<machine-id>
  • vpxd-extension-<machine-id>
  • sps-<machine-id>
  • serviceaccountmgmt-<machine-id>
  • vpxd-svc-acct-<machine-id>
  • vsphere-ui-<machine-id>
  • wcp-<machine-id>
  • cms-<machine-id>
  • vmware-vsm-<machine-id>

Note: After upgrading a vCenter to 8.0 U2, four service accounts will always be missing from "CN=ServiceProviderUsers,DC=vsphere,DC=local". These are not known to cause a problem yet, but can be fixed nonetheless. These accounts are:
  • cms
  • vmware-vsm
  • vmware-applmgmtservice
  • vpxd-svc-acct


Symptoms:
  • Services such as vpxd-svcs fail to start, with the following errors:
Constructor threw exception; nested exception is java.lang.RuntimeException: Could not find any solution users from SSO
  • Services such as vsphere-client or vsphere-ui fails to load with SSO errors


Environment

VMware vCenter Server 6.7 
VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

These services are unable to authenticate successfully to SSO since their users don't have the needed permissions and are not placed in the right groups.

Resolution

IMPORTANT: Please do not use the old 'solution_users_fixer(81623).sh'  version of this script, which no longer works on later versions of vCenter Server. The new version is simply 'solution_users_fixer.py'.

Download the script
  • Download the attached script 'solution_users_fixer.py' on this KB article, and upload to the /root folder on the vCenter.

Run the script

python solution_users_fixer.py

--

usage: solution_users_fixer.py [-h] [--check] [--fix] [--map]

options:
  -h, --help  show this help message and exit
  --check     Check if solution users are in the expected groups
  --fix       Fix any discrepancies between expected and current group memberships
  --map       Display the group memberships for each solution user in ServicePrincipals
 

Run the check function
The --check function compares the current group memberships against the version specific mapping defined in the script, and then prints out any missing or extra groups found. This does not make any changes.




Run the fix function
The --fix function makes the same comparison that --check does, but also updates the users group memberships to match the pre-defined set. As this directly makes edits to the vmdir database, ensure a snapshot or backup is taken before using this.

 

Restart Services
Once the --fix function is finished, you should restart the services which were updated

service-control --stop --all && service-control --start --all

Additional Information

Optionally, the script can output the current group memberships for informational purposes. This also does not make any changes.

solution_users_fixer.py --map
 


Impact/Risks:
This procedure only checks and makes changes to the solution users belonging to the vCenter it was run on. However, in ELM configurations, the change will replicate to all other nodes in the SSO domain. Take a snapshots before running the '--fix' operation.

Attachments

solution_users_fixer.py get_app
solution_users_fixer(81623) get_app
Powered by Wolken Software