Root user login failure events in ESXi logging
search cancel

Root user login failure events in ESXi logging

book

Article ID: 401591

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Hostd.log on effected hosts will note that the root user is failing to login

Hostd.log

2025-05-22T12:34:12.954Z In(166) Hostd[2099508]: [Originator@6876 sub=Vimsvc.ha-eventmgr opID=esxcli-07-0eed sid=525e1ac4] Event 35272 : Cannot login user [email protected]: no permission
2025-05-22T12:34:12.954Z Db(167) Hostd[2099506]: [Originator@6876 sub=PropertyCollector] ProcessGUReqs Start: Session 523196fa-622a-4971-528f-d0270621221c
2025-05-22T12:34:12.954Z Db(167) Hostd[2099508]: [Originator@6876 sub=Vimsvc.HaSessionManager opID=esxcli-07-0eed sid=525e1ac4] Invalid login request for session 525e1ac4-26bc-393a-2ab1-0e3b89d5c264: delaying response for 4 seconds
2025-05-22T12:34:12.954Z Db(167) Hostd[2099506]: [Originator@6876 sub=PropertyProvider opID=fed50ee9] [_GetChanges] _GetChanges called on session[523196fa-622a-4971-528f-d0270621221c]521307a9-d214-da69-bc19-229f07e94b71 with version 35062

Environment

ESXi 8.0 u3 

Cause

We can see that some ESXCLi commands are being run right before this error happens 

2025-05-22T12:34:12.953Z Db(167) Hostd[2099516]: [Originator@6876 sub=IO.Http] Session's UserAgent : pyvmomi 8.0.2.0.1 internal Python/3.11.11 (VMkernel; 8.0.3; x86_64)

 

These ESXCLi commands need root permissions 

2025-05-22T12:34:12.954Z Db(167) Hostd[2099508]: [Originator@6876 sub=Vimsvc.Ticket opID=esxcli-07-0eed sid=525e1ac4] Ticket used: ***e2a6c
2025-05-22T12:34:12.954Z In(166) Hostd[2099508]: [Originator@6876 sub=Vimsvc.HaSessionManager opID=esxcli-07-0eed sid=525e1ac4] Accepted password for user root from 127.0.0.1 - session=525e1ac4-26bc-393a-2ab1-0e3b89d5c264
2025-05-22T12:34:12.954Z In(166) Hostd[2099508]: [Originator@6876 sub=Vimsvc opID=esxcli-07-0eed sid=525e1ac4] [Auth]: User root

 

You will see sut.log folders on the effected hosts that show the events bellow that will match the timestamps of the failed login messages for root in hostd.log

sut.log

2025-05-22T12:44:33.123Z In(30) sut[2100247]: [INFO] :: [global.cpp:1459] :: Console log content for the command (esxcli system maintenanceMode get >& /tmp/stagingdirectory/sutm
2025-05-22T12:44:33.123Z In(30) sut[2100247]: aintenancemode.log) is : Error: Permission to perform this operation was denied..
2025-05-22T12:44:33.123Z In(30) sut[2100247]:

Resolution

SUT ( Smart Update Tools ) is a HPE product 

Therefore to resolve this issue please engage with HPE to review this SUT user and review why the logins are failing and producing these events 

Additional Information

Alternative cause of similar log in failures can occur as per this kb -- KB378651

If you have no events in the SUT logs and the issue persists after completing the kb above please open a case with Broadcom Support

Powered by Wolken Software