How to reset the machine account password:
vmdird-syslog.log
file, the following entries may be observed:[YYYY-MM-DDTHH:MM:SS] err vmdird t@140107551946496: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)
[YYYY-MM-DDTHH:MM:SS] err vmdird t@140107551946496: VmDirSendLdapResult: Request (96), Error (49), Message ((49)(SASL step failed.)), (0) socket ([17] 198.51.100.1 :389<-198.51.212.102:54753)
[YYYY-MM-DDTHH:MM:SS] err vmdird t@140107551946496: Bind Request Failed ([17] 192.0.2.1:389<-192.0.2.6:54753) error 49: Protocol version: 3, Bind DN: "cn=accountname,ou=Computers,dc=vsphere,dc=local", Method: 163
Note: The vmdird-syslog.log file
is located at:
For vCenter Server Appliance with embedded Platform Services Controller(PSC): /var/log/vmware/vmdird/vmdird-syslog.log
For Windows installed vCenter Server with embedded Platform Services Controller(PSC): "%VMWARE_LOG_DIR%"\vmdird\vmdir.log
Note: The vmdir log is not present in vCenters that do not have an embedded PSC.
Note: From 6.5 onwards inventory services is not available, For LDAP errors see /var/log/vmware/sso/vmware-sts-idmd.log
or /var/log/vmware/vmdird/vmdird-syslog.log
Replication can be checked using the command (must be run on each VC/PSC in the SSO domain to accurately reflect the situation):/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator
If a partner is changes behind, review the vmdird-syslog.log
of both nodes for ldap 49 errors
against those machines
vmdird
for the account listed in the vmdird-syslog.log
file.
vmdird-syslog.log
file.vmdird-syslog.log
entries for "error 49
" were to look like this:[YYYY-MM-DDTHH:MM:SS] err vmdird t@140107551946496: Bind Request Failed ([17] 198.51.100.1 :389<-198.51.212.102:54753) error 49: Protocol version: 3, Bind DN: "cn=FQDN.local,ou=Computers,dc=vsphere,dc=local", Method: 163
Bind DN: "cn=FQDN.local,ou=Domain Controllers,dc=vsphere,dc=local"
FQDN.local
would be the affected account.vsphere.local
[email protected]
vdadmintool
correct default settings in the SSO password policies are required, VMware currently does not support to set the maximum password length above 20 characters. ldap 49
error in it's vmdird-syslog.log
with an SSH session and root credentials.shell.set –enabled true
shell
and press Enter.vdcadmintool
:/usr/lib/vmware-vmdir/bin/vdcadmintool
Please select:
0. exit
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
vmdird-syslog.log
file.FQDN@SSO Domain
.[email protected]
& (ampersand)
; (semicolon)
" (double quotation mark)
' (single quotation mark)
^ (circumflex)
\ (backslash)
% (percentage)
shell.set –enabled true
shell
and press Enter./opt/likewise/bin/lwregshell
cd HKEY_THIS_MACHINE\services\vmdir\
set_value dcAccountPassword "new password"
quit
%VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe
Please select:
0. exit
1. Test LDAP connectivity
2. Force start replication cycle
3. Reset account password
4. Set log level and mask
5. Set vmdir state
vmdir.log
file.FQDN@SSO Domain
.[email protected]
regedit
.HLKM\System\CurrentControlset\Services\VMwareDirectoryService\ location
.dcAccountPassword
.dir-cli
(versions 6.5 onwards)Note: Ensure offline snapshots of all vCenters and PSCs are in place before running. This means to power off all vCenters and PSCs in the SSO domain, login to the ESXi hosts they're placed on and snapshot them when down. If reverting, revert all machines before powering any on. This is to ensure consistency in the SSO domain.
Appliance:
vmdird-syslog.log
as root
user via SSHshell.set –enabled true
shell
and press Enter.Platform Services Controller FQDN
> is the FQDN of the vCenter with embedded PSC or PSC of the machine with the error 49
in it's vmdird-syslog.log
:/usr/lib/vmware-vmafd/bin/dir-cli computer password-reset --login administrator --live-dc-hostname <Platform Services Controller FQDN> --password <[email protected] password>
vmdir.log
Platform Services Controller FQDN
> is the FQDN of the vCenter with embedded PSC or PSC of the machine with the error 49
in it's vmdir.log
:%VMWARE_CIS_HOME%\vmafdd\dir-cli.exe computer password-reset --login administrator --live-dc-hostname <Platform Services Controller FQDN> --password <[email protected] password>
reset_machine_pw.sh
shell script (Built in for version 7.0 only)root
user and type shell
to access the bash shell/usr/lib/vmware-vmdir/vmdir-tool/reset_machine_pw.sh
VMware Skyline Health Diagnostics for vSphere - FAQ
How to stop, start, or restart vCenter Server 6.x services
Stopping, starting, or restarting VMware vCenter Server Appliance 6.x services
VCenter Server fails to start with "Remote login failed:N3Vim5Fault9HttpFault9ExceptionE(vim.fault.HttpFault)", After vCenter Server is restored from backup or snapshot
Read this article in different languages here:
在 vCenter Server 6.x 中启动 Inventory Service 时出现“凭据无效 LDAP 错误 49 (invalid credentials LDAP Error 49)”错误
vCenter Server 6.x で Inventory Service を開始すると「無効な認証情報 LDAP エラー 49(invalid credentials LDAP Error 49)」エラーが発生する