Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
While using the vSphere Client that is connected directly to an ESXi host, attempting to join the host to a domain to use Active Directory authentication fails.Your environment contains more than a single domain and the domains have trusts enabled between them. The lsassd.log file may contain entries similar to: 20110121153559:DEBUG:0xffb403c0:[LsaDmpMustFindDomain() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:1308] Do not know about domain 'YOURDOMAIN.COM' 20110121153559:DEBUG:0xffb403c0:[LsaDmpIsDomainOffline() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) 20110121153752:DEBUG:0xffb403c0:[AD_DsEnumerateDomainTrusts() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/adnetapi.c:1127] Failed to enumerate trusts at HOSTNAME.CORPDOMAINNAME (error 59) 20110121153752:DEBUG:0xffb403c0:[AD_DsEnumerateDomainTrusts() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/adnetapi.c:1141] Error code: 40096 (symbol: LW_ERROR_ENUM_DOMAIN_TRUSTS_FAILED) 20110121153950:DEBUG:0xffb403c0:[AD_DsEnumerateDomainTrusts() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/adnetapi.c:1127] Failed to enumerate trusts at HOSTNAME.CORPDOMAINNAME (error 59) 20110121153950:DEBUG:0xffb403c0:[AD_DsEnumerateDomainTrusts() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/adnetapi.c:1141] Error code: 40096 (symbol: LW_ERROR_ENUM_DOMAIN_TRUSTS_FAILED) 20110121153950:DEBUG:0xffb403c0:[LsaDmConnectDomain() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm.c:911] Error code: 40096 (symbol: LW_ERROR_ENUM_DOMAIN_TRUSTS_FAILED) 20110121153950:INFO:0xffb403c0:[LsaDmpModifyDomainFlagsByRef() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2214] Domain 'CORPDOMAINNAME' is now offline 20110121153950:ERROR:0xffb403c0:[LsaDmEnginepDiscoverTrustsForDomain() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provi 20110121153559:DEBUG:0xffb403c0:[LsaDmpIsDomainOffline() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) 20110121153752:DEBUG:0xffb403c0:[AD_DsEnumerateDomainTrusts() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/adnetapi.c:1127] Failed to enumerate trusts at HOSTNAME.CORPDOMAINNAME (error 59) 20110121153752:DEBUG:0xffb403c0:[AD_DsEnumerateDomainTrusts() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/adnetapi.c:1141] Error code: 40096 (symbol: LW_ERROR_ENUM_DOMAIN_TRUSTS_FAILED) 20110121153950:DEBUG:0xffb403c0:[AD_DsEnumerateDomainTrusts() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/adnetapi.c:1127] Failed to enumerate trusts at HOSTNAME.CORPDOMAINNAME (error 59) 20110121153950:DEBUG:0xffb403c0:[AD_DsEnumerateDomainTrusts() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/adnetapi.c:1141] Error code: 40096 (symbol: LW_ERROR_ENUM_DOMAIN_TRUSTS_FAILED) 20110121153950:DEBUG:0xffb403c0:[LsaDmConnectDomain() /build/mts/release/bora-286437/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm.c:911] Note: You may need to first enable logging for the Likewise agents that are used on ESX/ESXi to facilitate joining the host to an Active Directory domain. By default, none of these agents generate a log file. For more information, see Enabling logging for Likewise agents on ESX/ESXi (1026554).
This issue may occur if you have a very large amount of trusts between domains. To resolve this issue: In vSphere Client, click View > Administration > Server Settings > Timeout Settings > Normal Operations.Change the timeout value for normal operations to 360 seconds. Note: The timeout value may need to be adjusted to a higher value if you have a very large number of trusts between domains. If you previously tried to add the host to the domain, remove the host using the vSphere Client directly to Host > Configuration > Authentication > Leave domain.Run this command from a command line with root privileges: /etc/init.d/lsassd stop Remove all of the files in this directory: /etc/likewise/db directory Make a backup copy of the file /etc/likewise/lsassd.conf.Use a text editor to make these changes to the file: Remove the comment symbol (#) from the line containing enable-eventlog = yes.Change the log level to the desired level in the line containing log-level. For example: log-level = verbose Remove the # from the line containing domain-manager-check-domain-online-interval and change the interval to 1h (one hour).Remove the # from the line containing domain-manager-unknown-domain-cache-timeout and change the interval to 1m (one minute)Remove the # from the line containing memory-cache-size-cap = 10000. Run the following commands to turn off the vobd and wsman daemons: chkconfig --level 3 vobd off chkconfig --level 3 wsman off Remove the server object from the Active Directory if they are not already removed.Run this command from a command line to save file changes: /sbin/auto-backup.sh Reboot the host and, after the reboot, connect via vSphere Client directly to the host again, and also via SSH.Using SSH access with root privileges, enable the logging once again since these changes do not persist across reboots.Ensure that the group ESX Admins exist in your Active Directory.Add the host to the domain again, then leave the domain. Then add the host again. To add the host to the domain, leave, then add the host again: a) Using the vSphere Client connected directly to the host, Select Configuration > Authentication > Join Domain. b) After the above attempt completes, immediately leave the domain. c) After the leaving the domain, immediately join the domain again. The process of adding the host to the domain will now begin and may take 30-45 minutes, or more. If you wish to follow the process and see the trusted domains appear one by one, run this command via the SSH session (with root privileges): tail -f /var/log/vmware/lsassd.log When the entire process has been completed and all trusts have been enumerated, all of the Trusted Domain Controllers should show in Configuration > Authentication on the host.Select Permissions on the host, you should see the group ESX^Admins has been added. You should now be able to successfully log into the host using the vSphere Client, as well as an SSH client.You can also use a pager (such as the less or more command) to look at /etc/likewise/krb5-affinity.conf. You should see all of your trusted domains together with their IP addresses. Note: The enumeration of the trusts are done on each reboot as well. Therefore, if after the timeout changes above, the enumeration took 30-45 minutes to complete, then there is a similar delay after the reboot before the Active Directory login functionality is available again.
Enabling logging for Likewise agents on ESXi/ESX