Unable to login to ESXi Host UI with an error "Permission to perform this operation was denied."
Article ID: 386006
Updated On:
Products
Issue/Introduction
- When logging on to the ESXi host UI with the root account, it denies access with the error "
Permission to perform this operation was denied."
- In
/var/run/log/auth.logyou will find "Permission denied" error
YYYY-MM-DDT05:31:14.661Z login[2122329]: pam unix (login:auth) : authentication failure; logname= uid=0 euid=0 tty=char/tty/1 rusYYYY-MM-DDT05:31:14.665Z login[2122329]: [module:pam lsass]pam sm authenticate: failed [error code: 40017]YYYY-MM-DDT05:31:16.108Z login[2122329]: pam_authenticate call failed: Authentication failure (7)YYYY-MM-DDT05:31:39.706Z login[2122329]: pam_access (login: account): access denied for user 'root' from 'char/tty/1'YYYY-MM-DDT05:31:39.709Z login[2122329]: pam_acct_mgmt call failed: Permission denied (6)
Environment
VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0
Cause
This occurs if the permission for the root account is revoked or replaced by another account.
Resolution
-
Place the ESXi host into maintenance mode.
-
Establish an SSH connection to the ESXi host.
-
ssh <username>@<esxi_hostname_or_ip>
-
-
Navigate to the /etc/security directory.
-
cd /etc/security
-
-
Create a backup of the access.conf file.
-
cp access.conf access.conf.bak
-
-
Edit the access.conf file using vi editor.
-
vi access.conf
-
-
Locate the line containing Broot:ALL and modify it to +:root:ALL (replace Broot with +: followed by root).
Example content after modification:# This file is autogenerated and must not be edited.+:cloudadmin:ALL+:dcui:ALL+:root:ALL+:vpxuser:ALL-:ALL:ALLSave the changes and exit the vi editor.
-
-
Press Esc
-
Type :wq!
-
Press Enter
-
-
- Reboot the ESXi host.
- reboot
- Take the ESXi host out of maintenance mode after it has successfully rebooted.
Feedback
