Active directory authentication fails with ESXi 5.5 Fresh install

I ran into this issue last week while upgrading several ESXi environments to 5.5.  On these I needed to move the boot from SAN partition so I did fresh installs from the disks.  Everything was great until I tried to login to the ESXi host with domain credentials.  (By default ESXi looks for members of a AD group called ESX Admins)  All AD authentication requests failed.   At first I thought it was a issue with the HP version of ESXi from Sep. 2013:

VMware-ESXi-5.5.0-1331820-HP-5.71.3-Sep2013

Turns out it’s a issue with VMware’s base image.  So every fresh install could have this issue.   When you setup AD authentication a number of daemons are started:

netlogond, lwiod, and lsassd

First time they run they create a number of directories and create pid files in /var/lock/subsys.   Unfortunately this is where the error lies.  There is no /var/lock/subsys directory.  It was missed.  I confirmed the issue still exists on the latest patch set as well.  So here is the work around:

Log in to ESXi via SSH or vMA as root (since you cannot login as you)
mkdir /var/lock/subsys
/etc/init.d/netlogond restart; /etc/init.d/lwiod restart; /etc/init.d/lsassd restart;

And test AD login… all should be good.  VMware should post a KB article in the near future.

UPDATE:’

VMware has posted the KB : http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075398

They state it’s not a issue beyond the display of the message and if you refresh the status everything is running.  Personally my experience is you need the fix to make it work… but it’s just me.

12 thoughts on “Active directory authentication fails with ESXi 5.5 Fresh install

  1. I’ve set up 15 or so esxi 5.5 systems in the past few months and I need to do this every time in order for AD login to work.

    Thanks for the write up

  2. I am running the free ESXI 5.5.0.1331820 with AD integration, permission for user/groups “domain users”. When i patch to the latest 5.5 patch 5.5.0.1892794 I know longer can login with domain users. I tried to rejoin esxi host to domain successfully but I can not get the domain to show in the permissions “users and groups”. I’ve tried the above and verified that the directory ‘subsys” is created and restart those services but I still cannot get my domain to show up in the domain drop down list. I am not using VCENTER, is this now required?

    1. The issue I have reports should not have anything to do with vCenter. ESXi AD permissions are not at this time tied to vCenter in any way. I suspect you might have found a new or different bug. Can you duplicate the issue with a clean install? Did you remove it’s entry from AD before you rejoined? (You might have to remove the server entry from AD before the rejoin.) Just a few suggestions. When you join it or browse for groups do the ESXi server logs provide any errors?

  3. We’ve just downloaded esxi 5.5 update 2 and it’s still an issue – followed the above and it works fine. Thanks for the article!

  4. Hi I can confirm that this is still an issue with ESXi 5.5.0, 3116895 (U3, September 16, 2015 patches) I have to apply the fix above to get AD integration working.

  5. Thanks for the information – we have the same issue (HP Update 2), but with one wrinkle. Running the three service restarts in your article, after creating the directory, doesn’t work. I find I need to go nuclear and run
    /usr/sbin/services.sh restart

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.