ESX 4.1: Local users cannot login

If you regularly SSH into your ESX hosts, this may be old news to you. But if you’re like me and mostly manage your ESX hosts via vSphere Client, you might have a surprise waiting for you when you upgrade to ESX & ESXi 4.1. With the advent of ESX Active Directory integration, VMware kindly decided to impose some new changes and requirements for local user accounts. What does this mean to you?

For me, it meant that when I tried to SSH into my ESX host, I ran into “Access is denied.” And with only one non-root user account on the system, this meant no remote access (on the host itself). Root is restricted to interactive access, so that wasn’t any help. Thankfully the Dell Remote Access Card (DRAC) put me on the console, so to speak, and let me poke around as root.

The solution, though, came from a Google search, a somewhat unhelpful VMware KB article (1024235), and a little connecting of the dots. AD integration places a new dependency on the local “Administrators” role. If local user accounts aren’t in that role, they can’t get in.

Oddly enough, vSphere Client has to be targeted directly at the ESX host (not vCenter) to edit the role and local users. Looking while connected through vCenter won’t get you anywhere. So, here we go:

  1. Open vSphere Client
  2. Connect to your ESX host with the root account
  3. Go to Home > Inventory > Inventory
  4. Select the “Local Users & Groups” tab
  5. Find your local user account (or create one)
  6. Make sure “Grant shell access to this user” is checked > OK
  7. Select the “Permissions” tab
  8. Click “Add…”  and select the local user (with the icon of one person, not three) > OK
  9. Under “Assigned Role”, select “Administrator” > OK
  10. Your user account should now have shell access (again)

At this point, if you used a complex password originally, you should be able to login via SSH and transfer files with SCP. If your password was simple, you can update it under “Local Users & Groups”. VMware’s judgment on “complex” is a bit weird, but here’s the jist:

  • Eight (8) characters or more: two character classes required
  • Seven (7) characters: three character classes required
  • Six (6) characters: four character classes required
  • All lengths: the first character doesn’t count toward the number of classes if it is upper case
  • All lengths: the last character doesn’t count toward the number of classes if it is a number

Maybe this will save you some digging and head banging. I already took some Advil for mine ;). Enjoy!

Applies to: ESX 4.1, ESXi 4.1

Be First to Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.