ESXi Host Displays Repeated 'Cannot Login User root@127.0.0.1: No Permission' Events After Upgrading to Version 8.0 U3 with Lockdown Mode Enabled
search cancel

ESXi Host Displays Repeated 'Cannot Login User [email protected]: No Permission' Events After Upgrading to Version 8.0 U3 with Lockdown Mode Enabled

book

Article ID: 378651

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vSphere ESXi 8.0

Issue/Introduction

Symptoms

  • After updating the ESXi host to 8.0 U3 with lockdown mode enabled, if the 'root' user is not added to the exception users list, the host starts triggering the event - 
Type: Error
User: root
Target:  ESXi.host.local
Description: Cannot login user [email protected]: no permission
Event Type Description: A user could not log in due to insufficient access permission
  • Before enabling lockdown mode we see the below in the event viewer within VC server:

  • After enabling Lockdown mode we see the below in the event viewer within VC server:

On ESXi  /var/log/syslog.log:

YYYY-MM-DDTHH:MM:SS.845Z In(166) Hostd[2098715]: [Originator@6876 sub=Solo.Vmomi] Activation finished; <<52687575-9d5b-c00e-1e7d-1c2d6ed5ad1e, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 35710'>>, ha-sessionmgr, vim.SessionManager.login, <vim.version.v8_0_3_0, internal, 8.0.3.0>, [N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x0000002569ef9548]>
YYYY-MM-DDTHH:MM:SS.845Z Db(167) Hostd[2098715]: [Originator@6876 sub=Solo.Vmomi] Arg userName:
YYYY-MM-DDTHH:MM:SS.845Z Db(167) Hostd[2098681]: --> "local-root"
YYYY-MM-DDTHH:MM:SS.845Z Db(167) Hostd[2098715]: [Originator@6876 sub=Solo.Vmomi] Arg password:
YYYY-MM-DDTHH:MM:SS.845Z Db(167) Hostd[2098681]: --> (not shown)
YYYY-MM-DDTHH:MM:SS.845Z Db(167) Hostd[2098681]: -->
YYYY-MM-DDTHH:MM:SS.845Z Db(167) Hostd[2098715]: [Originator@6876 sub=Solo.Vmomi] Arg locale:
YYYY-MM-DDTHH:MM:SS.845Z Db(167) Hostd[2098681]: --> "en"
YYYY-MM-DDTHH:MM:SS.845Z In(166) Hostd[2098715]: [Originator@6876 sub=Solo.Vmomi] Throw vim.fault.NoPermission
YYYY-MM-DDTHH:MM:SS.845Z In(166) Hostd[2098715]: [Originator@6876 sub=Solo.Vmomi] Result:
YYYY-MM-DDTHH:MM:SS.845Z In(166) Hostd[2098681]: --> (vim.fault.NoPermission) {
YYYY-MM-DDTHH:MM:SS.845Z In(166) Hostd[2098681]: --> object = 'vim.Folder:ha-folder-root',
YYYY-MM-DDTHH:MM:SS.845Z In(166) Hostd[2098681]: --> privilegeId = "System.View",
YYYY-MM-DDTHH:MM:SS.845Z In(166) Hostd[2098681]: --> msg = "",
YYYY-MM-DDTHH:MM:SS.845Z In(166) Hostd[2098681]: --> }

Environment

VMware vSphere ESXi 8.0 U3

Cause

The vsan_health is a plugin launched every 5 minutes to capture the vSANmgmt daemon health.The plugin tries to log in to Hostd as a root user to get vsan stubs.

When the host is in lockdown mode, the "root" user will be disabled.

Hence the error log is expected in hostd.log.

Resolution

This issue is resolved in ESXi 8.0u3e

Workaround 

  1. Disable the vSAN health feature on the host, by running this command: 
    # configstorecli config current set -c esx -g health -k vsan_health --path "enabled" --value False
  2. To apply the change, restart the healthd service with: 
    /etc/init.d/health restart
Powered by Wolken Software