Active Director user denied to ESXi SSH login – ESXi 6.0 ( 3620759)

After configuring the AD authentication on the ESXi 6.0 as per the KB 2075361 , we were not able to login to the ESX shell using the AD Authentication .

From the /var/log/ auth.log , we have noticed the below error.

pam_access(sshd:auth): access denied for user 

sshd[123225]: [module:pam_lsass]pam_sm_authenticate: failed [error code:40286

As per the KB 2145400 it is mentioned as the known issue and also mentioned the  workaround  but it didnt help so we contacted the VMware support and they fixed the issue by doing the changes below.

1. Run the command
cp /etc/likewise/openldap/ldap.conf /tmp <—- Copy the file ldap.conf to /tmp directory

2. give write permission to /tmp/ldap.conf
chmod +w /tmp/ldap.conf

3. Modify the file /tmp/ldap.conf to set buffer size to 15KB

Replace the line ‘SASL_SECPROPS maxbufsize=40960’ with ‘SASL_SECPROPS maxbufsize=5242880‘ –> 5 MB

buffer

4. Save the file

5. Copy /tmp/ldap.conf to /etc/likewise/openldap/ldap.conf

6. Verify the contents of /etc/likewise/openldap/ldap.conf is modified.

7. restart the likewise daemon lwsmd

/etc/init.d/lwsmd restart

 

 

Posted in ESXi issue, VMware | Tagged | Leave a comment

Trend Micro Deep Security Manager 9.6 ( service pack 1 upgrade ) – Part 5

Check my previous blog on DSM database schema changes which have to be done before upgrading the Trend DSM 9.6 to SP1 and also other blogs about DSM 9.5 and 9.6 installation and its functionality.

Download the Trend DSM SP1.

d

Click on the download SP1 file.

led

Accept the Agreement.

2

It will search for the previous version

Select the option to upgrade the existing installation.

3dd

Click next to the installation path.

2led

It will extract the files in the background and start proceeding the installation .

09d

Click finish

Untitlfd

check by login in to the DSM Manager

Untitd

We can check the version of the SP1

Untitlesd

If we have another node, pls do the same steps to upgrade it to the SP1.

Posted in Trend Micro Deep Security | Tagged , , , | Leave a comment

Manually updating the Deep Security Manager (DSM) database before upgrading to 9.6 SP1 – Part -4

Check my other blog on Trend DSM 9.5 and 9.6 and in this blog we can see how to manually  perform  DSM database schema changes which required to upgrade the Trend DSM 9.6 SP1 or with the latest patch. These changes are required only for Microsoft SQL Server databases.

Trend has provided the tool to do this DB change but when i tried it in my lab it failed and also in our PRD there are lot of process to get approval to install any tool on the DB server so by using the manual method we completed the DSM DB schema changes.

Pls note it is very imp to take the DB backup before the activity .

Download the script from the Trendlink.

trend1

trend

Database Integrity Check.

Before proceeding with the steps mentioned in the sections below, it is important to check first the database integrity for Deep Security Manager:

Log in to SQL Server and select Deep Security Database.

DeepSecurityDatabaseBigintMigrationScriptTableRecoveryCommand.sql script using Notepad and copy its contents to the New Query area.

tre

 

Change the database name right at the top of the script with your DSM database.

Click Parse on the SQL Server.

Click Execute on the SQL Server.

1d

2d

12d

Running the Migration script.

Make sure to take the DB backup and stop the Trend DSM Service on all the nodes.

Check the table usage and free disk space of SQL server.

Use the script DeepSecurityDatabaseBigintMigrationScriptTableSpaceUsageSummary.sql to get the summary of table space usage. Below is an example:

Un

Go to the unzipped folder then locate the DeepSecurityDatabaseBigintMigrationScript.sql script.

Open the script and modify the database name for each tenants. For example, if your database name is DSM95, change the script to [DSM95] similar to the following:

use [DSM95]

We need to run the the same on each tenant database in themulti-tenant environment

Migration script is completed, Next blog we can see the steps on DSM installer SP1 upgrade.

Reference :

https://esupport.trendmicro.com/solution/en-us/1112218.aspx

 

Posted in Trend Micro Deep Security | Tagged , , , | Leave a comment

Various options to enable the Telnet client and other methods to check the port.

In recent version of windows, Telnet Client is not enabled by default and in this blog we can see various method to install the client and to check the port connectivity.

Option 1 :

we can install it from the Add Roles and Feature.

Telnet

Option 2:

Apart from this tradition way, we can install it using the below Power shell method.

Import-Module ServerManager
Add-WindowsFeature -Name Telnet-Client

Option 3:

dism /online /Enable-Feature /FeatureName:TelnetClient

Telnet1

Option 4:

Download the below Powershell script and run it on the server.

Dropbox

Option 5:

We can install telnet client using the package manager.

Pls note it will support only Windows Vista & higher.

c:>pkgmgr /iu:”TelnetClient”

Next we can see options to test the port from the source system to destination without using telnet.

Option 1:

On windows to test the port from the source system to destination we can use alternate method without installing the Telnet client is by Windows Sockets using the System.Net.Sockets provided in .NET framework.

New-object System.Net.Sockets.TcpClient(“IP”,”PORT”)

telnetd

Option 2:

Use the below powershell script which can do the same operations.

Dropbox

Option 3:

To make it easy we can import this function as cmdlet or module and then use it as the easy powershell cmdlet to test port.

Import-module Test-port.psm1

Type get-help Test-port
syntax Test-port [[-computername] <Object>] [[-port] <Object>]

Test-port -computername 1.1.1.1 -port 80

Download it from the Dropbox and get more info from the readme.

Option 4:

In VMware Vcenter appliance we have to use the CURL to test the  port connectivity.

KB2097039 will give more info on the same.

curl -v telnet://127.0.0.1:22

Option 5:

Telnet is available only on ESX hosts. For ESXi 3.5, 4.x and 5.x, you will need to use the netcat (nc).

KB 2020669 will give more info on the same.

nc -z <destination-ip> <destination-port>

Reference :

http://powershell.com/cs/blogs/tips/archive/2016/01/26/enabling-telnet-client-and-watching-star-wars.aspx?utm_content=buffer46e94&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2097039

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020669

http://www.travisgan.com/2014/03/use-powershell-to-test-port.html

 

Posted in ESX command, ESXi Tools, Powershell, VMware, Windows | Tagged , , , , , | Leave a comment

VMware KB articles with no resolution for few known Issues in Vsphere 6.0 and workaround to fix.

Check my other blog for the VC6.0 installation issues and here in this blog , I want to highlight VMware KB articles mentioned as no resolution for certain known issues but with some workaround to fix and also few issues got fixed with latest code.

will try to update the blog according to the update of the KB updates.

Issue 1 : 

Heavy logging on the Platform Services Controller Appliance 6.0 causes /storage/log to fill up.

KB: 2143565

Issue 2 :

Virtual Machines using large pages can temporarily become unresponsive after vMotion

KB: 2144984

Issue 3:

VMware Tools show status of Current even though tools image are replaced with newer version

KB: 2145464

Issue 4:

Actions performed against Active Directory may fail after upgrading to ESXi 6.0 Update 2

KB:  2145400

Issue 5:

ESXi 6.0 hosts become unresponsive when joined to an Active Directory domain

KB : 2145611

Issue 6: 

After upgrading to ESXi 6.0 Update 2, accessing the Host Client UI fails with error: 503 Service Unavailable (2144962)

KB: 2144962

Issue 7 : 

Possible virtual machine and data deletion when restoring the vCenter Server Appliance 6.0 from backup

KB : 2143799  Note : This issue has been fixed VC6.0 U2

Issue 8 :

vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0

KB: 2109074  Note : This issue has been fixed VC6.0 U1

Issue 9:

Using NAT between the vCenter Server system and ESXi/ESX hosts

KB:1010652

Issue 10:

Service Composer fails to translate virtual machines into security-groups in VMware NSX for vSphere 6.x

KB : 2144726

Issue 11:

VMware vCenter Server Appliance workaround for CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow (2144075)

KB : 2144075 Note: This issue has been fixed in VC6.0 U2

Issue 12 :

Upgrading an ESXi 6.0 host to Update 2 with Lock Down mode enabled using vCenter Update Manager fails with the error: The host returns esxupdate error code:18 (2144691)

KB: 2144691

Issue 13: 

Red Hat Enterprise 7 virtual machine UTC time settings are not changed when deploying a customized virtual machine (2144594 )

KB: 2144594

Issue 14 :

Issuing a 0x85 SCSI Command from a VMware ESXi 6.0 host with the EMC XtremIO storage array may result in a PDL error (2133286)

KB: 3133286

Issue 15 :

Upgrading vCenter Server or Platform Services Controller Appliance 6.0 through the VAMI fails at 70% (2144485)

KB : 2144485 Note this issue has been fixed in VC6.0 U2

Issue 16 :

ESXi 5.5.x/6.0.x host in a VMware NSX for vSphere 6.2.1 environment fails with a purple diagnostic screen and reports the backtrace: PFFilterPacket and VSIPDVFProcessSlowPathPackets (2144018)

KB: 2144018 Note: This issue has been fixed with latest code.

Issue 17 :

Installing the VMware Client Integration Plug-in 5.5 Update 3 and 6.0 Update 1 hangs on Installing certificates and starting service (2133846)

KB: 2133846

Issue 18:

vCenter Server Performance has gap with Last Week,Month and Year .

 

KB : 2145455 Note : This issue has been fixed ESXi6.0P02

Issue 19:

Microsoft Convenience Update and VMware VMXNet3 Incompatibilities

VMware Blog:

 

Issue 20:

 

VMware ESXi 6.0, Patch ESXi600-201605401

(CBT Bug)

Take care – Express Patch 6 for ESXi 6 can break your Backup (CBT Bug)!

Issue 21:

Logging into the Virtual Appliance Management Interface (VAMI) using valid credentials fails

KB : 2144904

Issue 22:

Windows 2008+ incremental backups become full backups ESXi6.0

Link to check the status

Issue 23:

Upgrading Platform Service Controller or vCenter Server Appliance 6.0 fails at 70% (2145333)

KB:2145333

 Issue 24:

vCenter Server 6.0 Update 2 displays on non-Virtual SAN enabled ESXi hosts displays the message: Retrieve a ticket to register the Virtual SAN VASA Provider

KB:2145308

Posted in vCSA 6.0, VMware | Tagged , , | 1 Comment

How to enable monitoring for the vShield Endpoint communication with ESX module.

Pls check my other blogs about Trend DSM 9.5 and 9.6  and here we can find how to enable the monitoring for the vShield Endpoint when it lost communication with ESX module.

Login to the VC which vShield Manager is connected.

we can find the VC name from the below location.

newweb

Select the Alarms tab from the vCenter level – vSheild Endpoint Host Status.

web3

In General we can see the below info and make sure to have Alarm type as HOSTS

web4

Next tab , make sure we have the selected the event type.

web5

In Action tab add the notification email when we should get the alert .

For ex I have selected from Green – yellow , Yellow – Red , Red – Yellow , yellow – Green.

web6

when the alert triggers , we will get the mail in the below format .

web7_censored

Reference :

http://esupport.trendmicro.com/solution/en-US/1095445.aspx

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2021886

Posted in Trend Micro Deep Security, Trend Micro Deep Security 9.5 ( VMtools Installation with vShield driver) – Part 9, vShield, vShield Endpoint | Tagged , , | Leave a comment

vSphere Replication sso fails with error Bad exit code:1

After upgrading the VCSA to the latest U2 and also with new machine certificate , noticed vSphere Replication was in failed status and when I tried to configure the lookup service address and restarting the service it was failing with the error BAD EXIT CODE:1.

Noticed in the release notes of the VR it is mentioned as the old IP or certificate of the vCenter will be preserved  in the VR Management Server in its OVF environment which causes the validation of the vCenter Server fails.

As a workaround it is mentioned as to login to the vCenter using web-client and power of and on the vSphere Replication Management Server VM  which forces the update of the OVF environment on the VR Management Server VM which resolves the issue.

Reference:

https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-60-release-notes.html

Posted in Certificate, vCSA 6.0, VMware, vSphere Replication VR | Tagged , , | Leave a comment