When using profile to remediate expired root pwd and a service account the host generated the error message, "Host profile apply failed with error: Error: Access to perform the operation was denied...".
search cancel

When using profile to remediate expired root pwd and a service account the host generated the error message, "Host profile apply failed with error: Error: Access to perform the operation was denied...".

book

Article ID: 395303

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server 8.0

Issue/Introduction

When using profile to remediate expired root password and a service account the host generated the error message, "Host profile apply failed with error: Error: Access to perform the operation was denied...". 

Once the host profile application has failed there is no way to clear the compliance check even though all user accounts are in compliance on the host. If you select to only remediate the svc account you will see an error in the logs.

Environment

vCenter Server 8.0

ESXi 8.0

Cause

If only the service account is selected to be remediated then vCenter will attempt to remove the root user account prompting a message that permission is denied to perform the operation.

Per the following documentation, https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/host-profiles-8-0/configuring-host-profiles/how-do-you-manage-host-profile-policies-and-policy-components.html#GUID-CC00594A-6426-4D4F-990F-53C9494C5EBB-en
How Do You Deactivate a Host Profile Component or Subprofile?

NOTE:
Sometimes, deselecting the check box might remove the component or component element from the host. This action is displayed in the task list after the pre-check remediation.

In the vCenter Server log you may see an entry similar to below

/var/log/vmware/vpxd/vpxd.log


2025-04-17T11:54:34.041Z error vpxd[05621] [Originator@6876 sub=moHostProfileMgr opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01] [HostProfileApplyWorker]: Error when Apply host config: ###.###.###, Fault cause: vmodl.fault.SecurityError
-->
2025-04-17T11:54:34.041Z info vpxd[05621] [Originator@6876 sub=moHostProfileMgr opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01] [ApplyHostProfileToHost]: Remediate finished: ###.###.###
2025-04-17T11:54:34.041Z info vpxd[05621] [Originator@6876 sub=vpxLro opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01] [VpxLRO] -- FINISH lro-6467736
2025-04-17T11:54:34.046Z info vpxd[06012] [Originator@6876 sub=vpxLro opID=m9k0c582-28379-auto-lx7-h5:70002995-ab] [VpxLRO] -- FINISH task-142904
2025-04-17T11:54:34.087Z error vpxd[06012] [Originator@6876 sub=Default opID=m9k0c582-28379-auto-lx7-h5:70002995-ab] [VpxLRO] -- ERROR task-142904 -- 5263ed0c-cd3c-6974-12b2-c18d0f3adff9(52fcb692-0ea5-ec9b-f2c9-33b47f86b89a) -- HostProfileManager -- vim.profile.host.ProfileManager.applyEntitiesConfiguration: :vim.fault.HostConfigFailed
--> Result:
--> (vim.fault.HostConfigFailed) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = <unset>,
-->    failure = (vmodl.MethodFault) [
-->       (vmodl.fault.SystemError) {
-->          faultCause = (vmodl.MethodFault) null,
-->          faultMessage = <unset>,
-->          reason = "Batch host remediation failed."
-->          msg = ""
-->       }
-->    ]
-->    msg = ""
--> }
--> Args:
-->

->       },
-->       inapplicablePath = <unset>,
-->       requireInput = <unset>,
-->       error = <unset>,
-->       host = 'vim.HostSystem:0f7964bd-70b9-4d40-b925-1877a4a8625a:host-1015',
-->       taskListRequirement = <unset>,
-->       taskDescription = (vmodl.LocalizableMessage) [
-->          (vmodl.LocalizableMessage) {
-->             key = "com.vmware.vim.profile.Profile.security.UserAccountProfile.UserAccountProfile.GenerateTaskList.modifyUser.label",
-->             arg = (vmodl.KeyAnyValue) [
-->                (vmodl.KeyAnyValue) {
-->                   key = "name",
-->                   value = "svc-test"
-->                }
-->             ],
-->             message = "'Modifying local user account svc-test'"
-->          },
-->          (vmodl.LocalizableMessage) {
-->             key = "com.vmware.vim.profile.Profile.security.UserAccountProfile.UserAccountProfile.GenerateTaskList.delUser.label",
-->             arg = (vmodl.KeyAnyValue) [
-->                (vmodl.KeyAnyValue) {
-->                   key = "name",
-->                   value = "root"
-->                }
-->             ],
-->             message = "'Removing local user account root'"
-->          }
-->       ],
-->       rebootStateless = <unset>,
-->       rebootHost = true,
-->       faultData = (vmodl.MethodFault) null
-->    }
--> ]

------------------------------------
On the ESXi log you may see an entry similar too below


/var/run/log/syslog.log

2025-04-17T11:54:34Z In(14) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: ApplyHostConfig called for host profile version 8.0.3
2025-04-17T11:54:34Z In(14) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Applying config first....***
2025-04-17T11:54:34Z In(14) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Not using on-demand data gathering for profile security_SecurityProfile_SecurityConfigProfile
2025-04-17T11:54:34Z In(14) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Calling GatherData() for profile type SecurityConfigProfile
2025-04-17T11:54:34Z In(14) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Calling OnRemediateComplete for profile RoleProfile
2025-04-17T11:54:34Z In(14) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Not using on-demand data gathering for profile security_UserAccountProfile_UserAccountProfile
2025-04-17T11:54:34Z In(14) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Calling GatherData() for profile type UserAccountProfile
2025-04-17T11:54:34Z In(14) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Calling RemediateConfig for profile UserAccountProfile
2025-04-17T11:54:34Z Er(11) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Exception while applying host config. Exception: (vmodl.fault.SecurityError) {
2025-04-17T11:54:34Z Er(11)[+] hostprofile[9375643]    dynamicType = <unset>,
2025-04-17T11:54:34Z Er(11)[+] hostprofile[9375643]    dynamicProperty = (vmodl.DynamicProperty) [],
2025-04-17T11:54:34Z Er(11)[+] hostprofile[9375643]    msg = 'Access to perform the operation was denied.',
2025-04-17T11:54:34Z Er(11)[+] hostprofile[9375643]    faultCause = <unset>,
2025-04-17T11:54:34Z Er(11)[+] hostprofile[9375643]    faultMessage = (vmodl.LocalizableMessage) []
2025-04-17T11:54:34Z Er(11)[+] hostprofile[9375643] }
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: Exception while applying host config. Backtrace:
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/hostprofiles/pyEngine/hostprofilemanager.py", line 1820, in _ApplyHostConfig
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/hostprofiles/pyEngine/applyConfigSpec.py", line 4783, in ApplyHostConfig
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/hostprofiles/pyEngine/applyConfigSpec.py", line 4368, in ApplyGenericConfig
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/hostprofiles/pyEngine/genericProfileBridge.py", line 934, in RecurseRemediateConfig
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/hostprofiles/pyEngine/genericProfileBridge.py", line 928, in RecurseRemediateConfig
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/usr/lib/hostprofiles/plugins/security/UserAccountProfile.py", line 646, in RemediateConfig
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]     RemoveUser(taskObj)
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/pyVim/account.py", line 66, in RemoveUser
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/pyVmomi/VmomiSupport.py", line 618, in <lambda>
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/pyVmomi/VmomiSupport.py", line 391, in _InvokeMethod
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a:   File "/lib64/python3.11/site-packages/pyVmomi/SoapAdapter.py", line 1607, in InvokeMethod
2025-04-17T11:54:34Z Wa(12)[+] hostprofile[9375643]
2025-04-17T11:54:34Z Wa(12) hostprofile[9375643] opID=m9k0c582-28379-auto-lx7-h5:70002995-ab-01-91-613a: excObj is a runtime fault: (vmodl.fault.SecurityError) {

Resolution

  1. Login to the vCenter UI
  2. Go to 'Home' > 'Policies and Profiles' > 'Host Profiles'
  3. Right click the Host Profile and click 'Edit Host Profile'
  4. In the 'Edit Host Profile' wizard uncheck all boxes
  5. Under Security and services > Security setting > Security > User configuration Check the box for all user accounts
  6. For each user account In the 'Password' drop-down, choose 'Leave Password unchanged for default account' 
  7. Right-click the Host Profile to open the 'Actions' menu. Choose 'Attach/Detach Hosts and Clusters...' and then select the host in the wizard.
  8. Right-click the new Host Profile to open the 'Actions' menu. Choose ' Edit Host customization..
  9. Select the host which stats Customization required, check the configurations and Finish [ no changes need]
  10. Click the hamburger button in the upper left of the screen and select inventory.
  11. Right-click the ESXi host in the inventory. The select Host Profiles > Remediate...
  12. To confirm success, right-click the host and select Host Profiles > Check Host Profile Compliance.

Additional Information

Steps are similar to https://knowledge.broadcom.com/external/article/323617/reset-esxi-root-password-with-host-profi.html but choose 'Leave Password unchanged for default account' instead of  'Fixed password configuration'

Powered by Wolken Software