ESXi hosts fail to locate or lookup user objects, resulting in authentication failures. Logs typically contain the following error strings:

• Failed to find user

• Failed to lookup object

• LDAP error 40071 symbol = LW_ERROR_NO_SUCH_OBJECT

This occurs when the ESXi host attempts to query an outdated, decommissioned, or incorrect Domain Controller (DC). Standard auth_to_local translation rules do not define the target DC for these queries.

VMware ESXi 6.7 / 7.0 / 8.0

In an environment with multiple Domain Controllers where one DC is not functioning properly ESXi may be using the faulty DC.

Option 1: Force Specific DCs via krb5.conf

This method explicitly defines which DCs the Kerberos client must use.

1. Enable and log in to the ESXi Shell via SSH as root.

2. Backup the existing configuration: cp /etc/krb5.conf /etc/krb5.conf.bak

3. Edit the file: vi /etc/krb5.conf

4. Locate the [realms] section and insert kdc and admin_server entries. Ensure the realm name remains in ALL CAPS.

Example:

[realms]
  YOUR.DOMAIN.NAME = {
   kdc = Your.Domain.Controller.1
   kdc = Your.Domain.Controller.2
   admin_server = Your.Domain.Controller.1
   auth_to_local = RULE:[1:$0\$1](^YOUR\.DOMAIN\.NAME\.*)s/^YOUR\.DOMAIN\.NAME\
   auth_to_local = DEFAULT
  }

5. Save and exit (:wq).

6. Restart the services: /etc/init.d/lwsmd restart

Option 2: Blacklist specific DCs via lwregshell (Recommended)

If you prefer to prevent the host from talking to a specific IP, use the correct lwregshell syntax. The set_value command requires the Key Path, the Value Name, and the Value Data as separate arguments.

1. Run the following command to blacklist a specific DC IP:

   Bash

    

   /usr/lib/vmware/likewise/bin/lwregshell set_value '[HKEY_THIS_MACHINE\Services\netlogon\Parameters]' "BlacklistedDCs" "IP.ADDRESS.OF.DC"
   

   Note: Ensure "BlacklistedDCs" is quoted and treated as the value name.

2. Refresh the configuration and restart the service: /opt/likewise/bin/lwsm refresh netlogon /etc/init.d/lwsmd restart