Adding an ESXi 5.x host to the Active Directory domain fails with the error: vmwauth Exception Join domain failed
search cancel

Adding an ESXi 5.x host to the Active Directory domain fails with the error: vmwauth Exception Join domain failed

book

Article ID: 342906

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • Unable to complete the Domain Join operation for ESXi hosts or vMA appliances using the Active Directory user credentials
  • Cannot add an ESXi host to the Active Directory domain
  • Adding an ESXi host to the Active Directory domain fails
  • In the hostd.log file, located at /var/log/ file, you see entries similar to:
     

    [38F7CB90 error 'ActiveDirectoryAuthentication' opID=DA951D9C-0000004D] vmwauth Exception: Exception 0xffff0000: Unknown exception
    [38F7CB90 info 'ha-eventmgr' opID=DA951D9C-0000004D] Event 47 : Join domain failed.
    [38F7CB90 info 'TaskManager' opID=DA951D9C-0000004D] Task Completed : haTask-ha-host-vim.host.ActiveDirectoryAuthentication.joinDomain-228758718 Status error

    [3F8F8B90 warning 'UserDirectory' opID=FE08E1AA-000000D1-4a] Group lookup failed for >'DOMAIN\ESX Admins'
    LsaOpenServer: 2
    GetDomainTrustState: Call to GetTrustedDomains() failed: Exception 0x00000002: Exception 0x00000002: The system cannot >find the file specified.
    [3F8F8B90 info 'SysCommandPosix' opID=FE08E1AA-000000D1-4a] ForkExec(/bin/sh) 13091
    [3F8F8B90 info 'ha-eventmgr' opID=FE08E1AA-000000D1-4a] Event 96 : Join domain succeeded

    And:

    DJRunJoinProcess: 0x80047: 0x3B - Unknown error
    Stack Trace:
    /build/mts/release/bora-698690/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:872
    /build/mts/release/bora-698690/likewise/esxi-esxi/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:1218
     

  • Likewise agent (lsassd) fails immediately after the Domain Join operation task is created
  • In the messages logs, the vMA appliance reports lwiod module errors similar to:

    lwiod[3179]: Error when handling SMB socket[code:-1]
    sshd[3300]: Accepted password for vi-admin from 10.8.20.199 port 55600 ssh2
    lwiod[3179]: Error when handling SMB socket[code:-1]
    lwiod[3179]: Error when handling SMB socket[code:-1]
    sudo: pam_unix2(sudo:auth): conversation failed
    lwiod[3179]: Error when handling SMB socket[code:-1]
    sudo: vi-admin : TTY=pts/1 ; PWD=/var/log/vmware/vma ; USER=root ; COMMAND=/bin/su -
    su: (to root) vi-admin on /dev/pts/1
    lwiod[3179]: Error when handling SMB socket[code:-1]
    lwiod[3179]: Error when handling SMB socket[code:-1]
    lwiod[3179]: Error when handling SMB socket[code:-1]
     
  • The vMA.log file reports Domain Join errors similar to:

    20130129165052:ERROR:Lsass Error [CENTERROR_DOMAINJOIN_LSASS_ERROR]
    0x3B - Unknown error
    Stack Trace:
    main.c:921
    main.c:465
    djmodule.c:323
    djauthinfo.c:872
    djauthinfo.c:1218

     
  • The network capture for SMB errors in the Likewise agent logs shows entries similar to:

    1749 74.565084000 10.8.22.75 10.8.94.14 KRB5 602 TGS-REP
    14 Reassembled TCP Segments (19360 bytes): #1730(1448), #1731(1448), #1734(1448), #1735(1448), #1736(1448),
    #1737(1448), #1740(1448), #1741(1448), #1742(1448), #1743(1448), #1746(1448), #1747(1448), #1748(1448), #1749(536)
    Kerberos TGS-REP
    Record Mark: 19356 bytes
    Pvno: 5
    MSG Type: TGS-REP (13)
    Client Realm: Domain Name
    Client Name (Principal): username
    Ticket
    enc-part rc4-hmac

    ...
    ...
    1773 74.567814000 10.8.94.14 10.8.22.75 SMB 504 Session Setup AndX Request
    15 Reassembled TCP Segments (19434 bytes): #1757(1448), #1758(1448), #1759(1448), #1760(810), #1762(1448), #1763(1448), #1764(1448), #1765(1448), #1766(810), #1768(1448), #1769(1448), #1770(1448), #1771(1448), #1772(1448), #1773(438)
    NetBIOS Session Service
    SMB (Server Message Block Protocol)
    SMB Header
    Session Setup AndX Request (0x73)
    Security Blob Length: 19314
    Byte Count (BCC): 19371

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware vSphere ESXi 5.1
VMware ESXi 4.1.x Installable
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 5.0
VMware vSphere ESXi 5.5

Cause

This issue occurs if the size of the Kerberos Ticket Granting Service (TGS) is very high. In the sample SMB error capture, you can see that the size of TGS is 19356 bytes.
 
After getting the TGS, the Session Setup AndX request is sent, which has a blob length and byte count of 19314 and 19371 respectively. SMB session setup fails and reports lwiod errors if the blob size is greater than 16KB.

The size of TGS may become high if the AD user is a member of more than 100 AD groups.

Resolution

To resolve this issue, edit the system registry of the Windows Domain Controller and increase the MaxBufferSize.
 
To increase the MaxBufferSize:
  1. In the Windows Domain Controller, click Start > Run, type regedit, and click OK. The Registry Editor window opens.
  2. Navigate to the HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SizeReqBuf registry key.
  3. Set datatype to REG_DWORD.
  4. Set Range from 1024 to 65535.
  5. For Windows Server versions of operating systems, such as Windows NT Server, Windows 2000, Windows 2003, and Windows 2008, if the physical memory is less than or equal to 512M, set the default value to 4356. For other cases, set the default value to 16644.
     

    Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine.



Additional Information

 
Note: The preceding link was correct as of April 30, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.
Active Directory ドメインへの ESXi 5.x ホストの追加が次のエラーで失敗する:vmwauth Exception Join domain failed

Powered by Wolken Software