"vim.fault.UserNotFound" or "The user or group named 'EXAMPLE\esx^admins' does not exist"
is encountered.esxcli system permission unset --group -i 'example\esx^admins'
It fails with the following error message: The user or group named 'example\esx^admins' does not exist
/var/run/log/hostd.log
yyyy-mm-ddThh:mm:ss.mssZ info hostd[2277134] [Originator@6876 sub=Vimsvc.TaskManager opID=cf748e7d user=root] Task Completed : haTask-ha-host-vim.host.HostAccessManager.changeAccessMode-1180481544 Status error
yyyy-mm-ddThh:mm:ss.mssZ info hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Activation finished; <<52e48cb7-a48d-c4c6-a362-77e20d377c99, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 50890'>>, ha-host-access-manager, vim.host.HostAccessManager.changeAccessMode>
yyyy-mm-ddThh:mm:ss.mssZ verbose hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Arg principal:
--> "example\esx^admins"
yyyy-mm-ddThh:mm:ss.mssZ verbose hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Arg isGroup:
--> false
yyyy-mm-ddThh:mm:ss.mssZ verbose hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Arg accessMode:
--> "accessNone"
yyyy-mm-ddThh:mm:ss.mssZ info hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Throw vim.fault.UserNotFound
yyyy-mm-ddThh:mm:ss.mssZ info hostd[2277134] [Originator@6876 sub=Solo.Vmomi opID=cf748e7d user=root] Result:
--> (vim.fault.UserNotFound) {
--> principal = "example\esx^admins",
--> unresolved = false,
--> msg = "",
--> }
A user or group has been removed from the ESXi host but the associated permissions were not removed correctly.
To remove the stale permissions, use any of the below provided Resolutions:
Resolution 1:
1. SSH to the ESXi host via the root
user
2. Add a temp account for "esx^admins
" : /usr/lib/vmware/busybox/bin/busybox addgroup example\esx^admins
3. Remove the "esx^admins
" permission : esxcli system permission unset --group -i "example\esx^admins"
4. Remove the temp account for "esx^admins"
: /usr/lib/vmware/busybox/bin/busybox delgroup example\esx^admins
Resolution 2:
The entry needs to be removed from the configstore DB
.
1. SSH to the ESXi host via the root
user
2. Verify the user or group entry is in the configstore DB
: /usr/lib/vmware/sqlite/bin/sqlite3 /etc/vmware/configstore/current-store-1 "select * from Config where Component='esx' and ConfigGroup='authorization' and UserValue like '%esx^admins%'"
Note: Replace the pattern between the %s
with a unique string contained in user/group name, being removed.
Result example:
esx|authorization|permissions|a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6|2024-06-05 08:30:26|2023-07-11 17:57:08|1.3|1||{"cs_generated_id": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6", "principal": "EXAMPLE\\esx^admins", "is_group": true, "access_mode": "Admin"}||||13
3. Delete the entry : /usr/lib/vmware/sqlite/bin/sqlite3 /etc/vmware/configstore/current-store-1 "delete from Config where Component='esx' and ConfigGroup='authorization' and UserValue like '%esx^admins%'"
4. Repeat step 2 of Resolution 2 to verify that entry is no longer returned.
5. Restart the ESXi management agent to reflect the removal in the UI, using command: /etc/init.d/hostd restart
To read more about the ESX admins group and the use case for the group.
Configuring the ESXi host with Active Directory authentication