How to reset the machine account password
Symptoms:
- In the vmdird-syslog.log file, you see entries similar to:
2016-09-21T18:47:48.024511+00:00 err vmdird t@140107551946496: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)
2016-09-21T18:47:48.024533+00:00 err vmdird t@140107551946496: VmDirSendLdapResult: Request (96), Error (49), Message ((49)(SASL step failed.)), (0) socket ([17] 10.105.217.85:389<-10.105.212.102:54753)
2016-09-21T18:47:48.024538+00:00 err vmdird t@140107551946496: Bind Request Failed ([17] 10.105.217.85:389<-10.105.212.102:54753) error 49: Protocol version: 3, Bind DN: "cn=accountname,ou=Computers,dc=vsphere,dc=local", Method: 163
Note: The vmdird-syslog.log file is located at:
- vCenter Server Appliance with embedded PSC/PSC: /var/log/vmware/vmdird/vmdird-syslog.log
- Windows installed vCenter Server with embedded PSC/PSC: "%VMWARE_LOG_DIR%"\vmdird\vmdir.log
Note: The vmdir log is not present in vCenters that do not have an embedded PSC.
Note: From 6.5 onwards inventory services is not available, For LDAP errors see
/var/log/vmware/sso/vmware-sts-idmd.log or
/var/log/vmware/vmdird/vmdird-syslog.log. This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.
- vmdir replication may not be working between vCenter with Embedded PSCs/External PSCs - nodes may be XXX changes behind from replication partners' point of view
Replication can be checked via below command (must be run on each VC/PSC in the SSO domain to accurately reflect the situation):
/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator
If a partner is changes behind, review the vmdird-syslog.log of both nodes for ldap 49 errors against those machines