Built-in Administrator 계정이 특정 Group에서 제거됨으로써, vCenter Upgrade를 위한 pre-check 과정이 실패하는 현상에 대해서 다뤄봅니다.
## vCenter 6.7
[문제 증상]
6.7에서 7.0으로 Upgrade 하기 전 pre-check 과정에서 다음과 같이 실패 메시지 발생
[진행 내역]
1. 메시지 내용대로라면, VECS에 있는 machien SSL certificate 정보가 Directory Service에 등록된 Service들의 SSL Trust 값과 일치하지 않는 상황
2. Machine SSL Certificate, vmdir 서비스에 등록된 Certificate, VECS 및 lookupservice에 등록된 SSL Trust 값 확인
2-1. Machine SSL Certificate
-----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE----- 사이의 값 확인
# echo | openssl s_client -connect localhost:443
2-2. vmdir 서비스에 등록된 Certificate
2-1에서 확인한 -----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE----- 사이의 값과 비교 : 일치
# echo | openssl s_client -connect localhost:636
2-3. VECS
VECS에 있는 Store 중 MACHINE_SSL_CERT에 보관된 인증서 확인
2-1에서 확인한 -----BEGIN CERTIFICATE----- ~ -----END CERTIFICATE----- 사이의 값과 비교 : 일치
# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT
2-4. lookupservice에 등록된 SSL Trust 값 확인
https://kb.vmware.com/s/article/80469에 있는 lsdoctor 도구를 이용하여 --lscheck 옵션으로 확인 시 다수의 SSL Trust 값 불일치 서비스들 확인
| # python lsdoctor.py -l { "default-site": { "abc.contoso.com (Embedded)": { "2nd Party Products": "None", "Problems Detected": { "Duplicates Found": { "Description": "Duplicate Endpoints Detected", "Duplicates by Node ID": { "NO_NODE_ID": { "cs.identity (6.5)": [ "c3ddc176-f290-4bc8-89fa-7d1c7091d4f6", "4655edb3-ddac-4d1b-aded-22f7b3e77d52" ], "sso:admin": [ "default-site:d464491d-7e5d-484d-b526-2657149f83eb", "default-site:5a03ff2d-6d2e-4629-bba4-91fbd57e7a60" ], "sso:groupcheck": [ "default-site:e7dc7330-53e8-4655-b58b-6d8a77a879bf", "default-site:3757a38d-fa94-4963-b204-b28be48084b1" ], "sso:sts": [ "default-site:4b2f5d4c-f4d9-4ef6-ac90-dfb9851dab00", "default-site:aa9c2f15-4665-4780-bbbd-8162089004ba" ] } }, "Link": "https://kb.vmware.com/s/article/80469", "Recommended Action": "Ignore if this is the PSC HA VIP. Otherwise, you must unregister the extra endpoints.", "Severity": "High" }, "SSL Trust Mismatch": { "Description": "SSL Trust Mismatch Detected", "Link": "https://kb.vmware.com/s/article/80469", "Recommended Action": "Please run python ls_doctor.py --trustfix option on this node.", "Services grouped by SSL Trust": { "84:8D:7C:4C:28:19:53:68:F4:F3:CE:9F:0E:75:2B:1C:70:28:9A:00": [ "topologysvc", "mixed", "vsan-dps", "cis.vmonapi", "cs.ds", "cs.vapi", "cs.eam", "cs.componentmanager", "phservice", "vcha", "messagebus.config", "sms", "cs.inventory", "vsphereclient", "cs.identity (6.5)", "sca", "cs.perfcharts", "vsan-health", "cs.vsm", "sso:admin", "applmgmt", "cis.cls", "cs.license", "vcenterserver", "sso:groupcheck", "certificatemanagement", "imagebuilder", "cs.authorization", "rbd", "cs.keyvalue", "sso:sts", "vsphereui" ], "D5:12:EB:DC:46:98:AC:19:85:44:CE:6F:21:86:07:06:71:DA:34:E6": [ "client", "vcIntegrity" ] }, "Severity": "High" } }, |
3. lsdoctor 도구의 --trustfix 옵션을 이용하여 lookupservice에 등록된 service들의 SSL Trust 값을 변경
## 다음과 같은 오류와 함께 실패
## lookupservice에 등록된 service 중 "default-site:d464491d-7e5d-484d-b526-2657149f83eb"를 unregister 하는데 실패
| # python lsdoctor.py -t WARNING: This script makes permanent changes. Before running, please take *OFFLINE* snapshots of all VC's and PSC's at the SAME TIME. Failure to do so can result in PSC or VC inconsistencies. Logs can be found here: /var/log/vmware/lsdoctor 2023-08-21T15:57:07 INFO main: You are checking for and fixing SSL trust mismatches in the local SSO site. NOTE: Please run this script one PSC or VC per SSO site. Have you taken offline (PSCs and VCs powered down at the same time) snapshots of all nodes in the SSO domain or supported backups?[y/n]y Provide password for administrator@vsphere.local: 2023-08-21T15:57:21 INFO __init__: Retrieved services from SSO site: default-site 2023-08-21T15:57:21 INFO findAndFix: Checking services for trust mismatches... 2023-08-21T15:57:21 INFO findAndFix: Attempting to reregister default-site:d464491d-7e5d-484d-b526-2657149f83eb for abc.contoso.com 2023-08-21T15:57:22 WARNING unregister_service: Failed to unregister_service [default-site:d464491d-7e5d-484d-b526-2657149f83eb]: (vmodl.fault.SecurityError) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], msg = '', faultCause = <unset>, faultMessage = (vmodl.LocalizableMessage) [] }, sys.exc_info()[1] 2023-08-21T15:57:22 WARNING unregister_service: Failed to unregister_service [default-site:d464491d-7e5d-484d-b526-2657149f83eb]: (vmodl.fault.SecurityError) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], msg = '', faultCause = <unset>, faultMessage = (vmodl.LocalizableMessage) [] }, str(e) 2023-08-21T15:57:22 WARNING unregister_service: Failed to unregister_service [default-site:d464491d-7e5d-484d-b526-2657149f83eb]: (vmodl.fault.SecurityError) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], msg = '', faultCause = <unset>, faultMessage = (vmodl.LocalizableMessage) [] }, repr(e) 2023-08-21T15:57:22 WARNING unregister_service: Failed to unregister_service [default-site:d464491d-7e5d-484d-b526-2657149f83eb]: Traceback (most recent call last): File "/tmp/lsdoctor-230719/lsdoctor-230719/lib/utils.py", line 763, in unregister_service self.service_content.serviceRegistration.Delete(svc_id) File "/usr/lib/vmware/site-packages/pyVmomi/VmomiSupport.py", line 557, in <lambda> self.f(*(self.args + (obj,) + args), **kwargs) File "/usr/lib/vmware/site-packages/pyVmomi/VmomiSupport.py", line 363, in _InvokeMethod return self._stub.InvokeMethod(self, info, args) File "/usr/lib/vmware/site-packages/pyVmomi/SoapAdapter.py", line 1418, in InvokeMethod raise obj # pylint: disable-msg=E0702 pyVmomi.VmomiSupport.vmodl.fault.SecurityError: (vmodl.fault.SecurityError) { dynamicType = <unset>, dynamicProperty = (vmodl.DynamicProperty) [], msg = '', faultCause = <unset>, faultMessage = (vmodl.LocalizableMessage) [] } , traceback.format_exc() |
4. 3번에서 unregister에 실패한 service를 lstool.py를 이용하여 unregister 시도
## 동일하게 실패
https://kb.vmware.com/s/article/2043509
# /usr/lib/vmidentity/tools/scripts/lstool.py unregister --url http://localhost:7080/lookupservice/sdk --id default-site:d464491d-7e5d-484d-b526-2657149f83eb --user 'administrator@vsphere.local' --password <암호> --no-check-cert
5. lookupservice에 대한 Action이 정상적으로 수행되지 않는 상황이기 때문에 Directory Service 상태 확인
## lookupservice가 바라보는 vmdird 서비스가 Hosting 하는 Directory Service의 상태 확인 시, 다음과 같이 Access Denied 에러 발생
## Access Denied 라는 의미는 Authentication 까지는 되었으나 필요한 Authorization을 진행하지 못한 것으로 이해할 수 있음
## 즉, Permission 이슈일 확률이 높음
| # /usr/lib/vmware-vmafd/bin/dir-cli state get Enter password for administrator@vsphere.local: Dir-cli failed. Error 382312694: access denied, reason = rpc_s_auth_method (0x16c9a0f6) |
6. 이제 Directory Service 관련 로그 확인
## Directory Service의 LDAP Protocol Listening Port인 389로 Bind Request가 실패한 메시지가 계속해서 기록되어 있음
| /var/log/vmware/vmdird/vmdird-syslog.log 2023-08-05T08:34:52.013354+09:00 info vmdird t@139988779902720: Modify Entry (cn=AssetEntity_host-250-7efe8d35-c0a2-4d85-907f-e333feba875d,cn=LicenseService,cn=services,dc=vsphere,dc=local)(from 127.0.0.1)(by abc.contoso.com@vsphere.local)(via Ext)(USN 15439,0) 2023-08-05T08:35:41.876023+09:00 info vmdird t@139989216126720: _VmDirCpMdbFile: making database snapshot with file size 21Mb; will take approximate 1 seconds; 1 updates occurred since last snapshot. 2023-08-05T08:35:41.901415+09:00 info vmdird t@139989216126720: _VmDirCpMdbFile: completed making snapshot with file size 21Mb in 1 seconds; data transfer rate: 21.0MB/sec, db last tid: 30885 2023-08-05T08:52:10.224925+09:00 err vmdird t@139988259817216: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error) 2023-08-05T08:52:10.225521+09:00 err vmdird t@139988259817216: VmDirSendLdapResult: Request (Bind), Error (49), Message ((49)(SASL step failed.)), (0) socket (127.0.0.1) 2023-08-05T08:52:10.225817+09:00 err vmdird t@139988259817216: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-05T08:52:10.225817+09:00 err vmdird t@139988259817216: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-05T11:20:39.342491+09:00 err vmdird t@139848564340480: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-05T11:27:59.213419+09:00 err vmdird t@139848547555072: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-05T11:47:51.185320+09:00 err vmdird t@140585084122880: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-05T15:18:57.559115+09:00 err vmdird t@140681695708928: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-05T15:19:10.531666+09:00 err vmdird t@140681695708928: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-07T08:18:52.687709+09:00 err vmdird t@140680915580672: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-09T09:21:50.223578+09:00 err vmdird t@140680907187968: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-09T09:21:57.303694+09:00 err vmdird t@140680907187968: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-09T09:22:14.563079+09:00 err vmdird t@140681704101632: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-10T10:26:18.966282+09:00 err vmdird t@140040898344704: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-10T10:26:28.006758+09:00 err vmdird t@140040898344704: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-10T10:27:19.492734+09:00 err vmdird t@140040361473792: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-16T13:18:32.435417+09:00 err vmdird t@140040873166592: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-16T13:48:39.324083+09:00 err vmdird t@139856801945344: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-16T17:03:59.332814+09:00 err vmdird t@139856793552640: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-16T17:03:59.735373+09:00 err vmdird t@139856793552640: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-21T14:40:38.011183+09:00 err vmdird t@139857456215808: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-21T17:06:28.281170+09:00 err vmdird t@139856776767232: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-22T17:57:08.689324+09:00 err vmdird t@139856785159936: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-23T09:49:54.799127+09:00 err vmdird t@139856768374528: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-23T13:48:08.455960+09:00 err vmdird t@139856810338048: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-24T14:33:36.517365+09:00 err vmdird t@139856810338048: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-28T22:19:10.040716+09:00 err vmdird t@139856785159936: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL 2023-08-28T22:19:20.082801+09:00 err vmdird t@139856785159936: Bind Request Failed (127.0.0.1) error 49: Protocol version: 3, Bind DN: "cn=Administrator,cn=Users,dc=vsphere,dc=local", Method: SASL /var/log/vmware/vmdir/vmafdvmdirclient.log 2023-08-05T01:03:06.568Z:t@139802737989376:ERROR: VmDirSafeLDAPBind to (ldap://abc.contoso.com:389) failed. SRP(9127) 2023-08-05T01:27:00.744Z:t@140398680844032:ERROR: VmDirSafeLDAPBind to (ldap://abc.contoso.com:389) failed. SRP(9127) 2023-08-05T02:38:37.935Z:t@139648001734400:ERROR: VmDirSafeLDAPBind to (ldap://abc.contoso.com:389) failed. SRP(9127) /var/log/vmware/sso/vmware-identity-sts.log [2023-08-23T09:49:54.798+09:00 tomcat-http--5 vsphere.local 2a333ee4-d25f-4558-936a-f10653d567c0 WARN com.vmware.identity.interop.ldap.LdapErrorChecker] Error received by LDAP client: com.vmware.identity.interop.ldap.OpenLdapClientLibrary, error code: 49 [2023-08-23T09:49:54.799+09:00 tomcat-http--5 vsphere.local 2a333ee4-d25f-4558-936a-f10653d567c0 ERROR com.vmware.identity.idm.server.ServerUtils] cannot establish connection with uri: ldap://localhost:389 at co m.vmware.identity.interop.ldap.LdapErrorChecker$28.RaiseLdapError(LdapErrorChecker.java:413) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:1090) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1268) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1261) ~[vmware-identity-platform-7.0.0.jar:?] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:8.5.81] [2023-08-23T09:49:54.815+09:00 tomcat-http--5 vsphere.local 2a333ee4-d25f-4558-936a-f10653d567c0 ERROR com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [Administrator@vsphere.local] for tenant [vsphere.local] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:8.5.81] at co m.vmware.identity.interop.ldap.LdapErrorChecker$28.RaiseLdapError(LdapErrorChecker.java:413) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:1090) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1268) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1261) ~[vmware-identity-platform-7.0.0.jar:?] [2023-08-23T09:49:54.819+09:00 tomcat-http--5 vsphere.local 2a333ee4-d25f-4558-936a-f10653d567c0 INFO com.vmware.identity.diagnostics.VmEventAppender] EventLog: source=[VMware Identity Server], tenant=[vsphere.local], eventid=[USER_NAME_PWD_AUTH_FAILED], level=[ERROR], category=[VMEVENT_CATEGORY_STS], text=[Failed to authenticate principal [Administrator@vsphere.local]. Login failed], detailText=[Login failed], corelationId=[2a333ee4-d25f-4558-936a-f10653d567c0], timestamp=[1692751794819] [2023-08-23T09:49:54.819+09:00 tomcat-http--5 vsphere.local 2a333ee4-d25f-4558-936a-f10653d567c0 ERROR com.vmware.identity.idm.server.IdentityManager] Failed to authenticate principal [Administrator@vsphere.local]. Login failed at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:8.5.81] at co m.vmware.identity.interop.ldap.LdapErrorChecker$28.RaiseLdapError(LdapErrorChecker.java:413) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.LdapErrorChecker.CheckError(LdapErrorChecker.java:1090) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1268) ~[vmware-identity-platform-7.0.0.jar:?] at co m.vmware.identity.interop.ldap.OpenLdapClientLibrary.CheckError(OpenLdapClientLibrary.java:1261) ~[vmware-identity-platform-7.0.0.jar:?] [2023-08-23T09:49:54.820+09:00 tomcat-http--5 vsphere.local 2a333ee4-d25f-4558-936a-f10653d567c0 ERROR com.vmware.identity.idm.server.ServerUtils] Exception 'com.vmware.identity.idm.IDMLoginException: Login failed' at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:8.5.81] |
7. 내부에서 관련 KB 확인
## KB 내용대로 Administrator가 Bulit-in Administrators Group에 속해 있는지 확인
7-1. UI에서 확인
## Administrators Group 내에 Administrator 계정이 확인되지 않음
7-2. vCenter에서 ldapsearch 명령어를 이용하여 확인
## 아래 결과는 정상적인 시스템에서 조회한 결과로 실제 문제가 된 환경에서는 "memberOf: cn=Administrators,cn=Builtin,dc=vsphere,dc=local" 항목이 없는 것을 확인
| # ldapsearch -h localhost -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w 'P@ssw0rd' -b "cn=administrator,cn=users,dc=vsphere,dc=local" memberOf # extended LDIF # # LDAPv3 # base <cn=administrator,cn=users,dc=vsphere,dc=local> with scope subtree # filter: (objectclass=*) # requesting: memberOf # # Administrator, Users, vsphere.local dn: cn=Administrator,cn=Users,dc=vsphere,dc=local memberOf: cn=Users,cn=Builtin,dc=vsphere,dc=local memberOf: cn=Administrators,cn=Builtin,dc=vsphere,dc=local memberOf: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local memberOf: CN=SystemConfiguration.Administrators,DC=vsphere,DC=local memberOf: CN=SystemConfiguration.BashShellAdministrators,DC=vsphere,DC=local memberOf: CN=SystemConfiguration.ReadOnly,DC=vsphere,DC=local memberOf: CN=SystemConfiguration.SupportUsers,DC=vsphere,DC=local memberOf: CN=LicenseService.Administrators,DC=vsphere,DC=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
8. 결과적으로 cn=Administrator,cn=Users,dc=vsphere,dc=local가 cn=Administrators,cn=Builtin,dc=vsphere,dc=local 에 포함되어 있지 않아 발생하는 권한 이슈로 아래 ldapmodify 명령어를 이용하여 Administrators Group에 Administrator 계정을 추가
| # ldapmodify -h localhost -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W << EOF dn: CN=Administrators,CN=Builtin,dc=vsphere,dc=local changetype: modify add: member member: CN=Administrator,CN=Users,dc=vsphere,dc=local EOF |
9. UI에서 Adminstrators Group 하위에 Administrator 포함되었는지 확인
## 정상적으로 추가
10. 3번 단계에서 lsdoctor 실패했기 때문에 다시 시도
## 실패 없이 정상적으로 진행 완료
11. lsdoctor 결과 중 SSL Trust mismatch는 10번 단계를 통하여 해결하였고, Duplicate Endpoints가 확인된 부분은 lstool.py를 이용하여 수동으로 Unregister 진행
## Unregister 옵션 사용법은 https://kb.vmware.com/s/article/2145520 참고
## Endpoints 중 어떤 것을 제거할 수 있는지를 확인하기 위해서는 https://kb.vmware.com/s/article/2043509를 참고하여 lookupservice에 등록된 Service들을 모두 조회한 후 lsdoctor 결과에 나온 Service ID를 이용하여 확인 후 각 Service 별 SSL Trust 값이 2-1에서 확인한 Machine SSL Certficate의 값과 일치하는지 확인
## 일치하지 않는 Service는 제거 가능
| { "default-site": { "abc.contoso.com (Embedded)": { "2nd Party Products": "None", "Problems Detected": { "Duplicates Found": { "Description": "Duplicate Endpoints Detected", "Duplicates by Node ID": { "NO_NODE_ID": { "cs.identity (6.5)": [ "c3ddc176-f290-4bc8-89fa-7d1c7091d4f6", "4655edb3-ddac-4d1b-aded-22f7b3e77d52" ### <-- !! 중복 ], "sso:admin": [ "default-site:d464491d-7e5d-484d-b526-2657149f83eb", ### <-- !! 중복 "default-site:5a03ff2d-6d2e-4629-bba4-91fbd57e7a60" ], "sso:groupcheck": [ "default-site:e7dc7330-53e8-4655-b58b-6d8a77a879bf", ### <-- !! 중복 "default-site:3757a38d-fa94-4963-b204-b28be48084b1" ], "sso:sts": [ "default-site:4b2f5d4c-f4d9-4ef6-ac90-dfb9851dab00", ### <-- !! 중복 "default-site:aa9c2f15-4665-4780-bbbd-8162089004ba" ] } }, "Link": "https://kb.vmware.com/s/article/80469", "Recommended Action": "Ignore if this is the PSC HA VIP. Otherwise, you must unregister the extra endpoints.", "Severity": "High" }, # /usr/lib/vmidentity/tools/scripts/lstool.py unregister --url http://localhost:7080/lookupservice/sdk --id 'default-site:d464491d-7e5d-484d-b526-2657149f83eb' --user 'administrator@vsphere.local' --password <암호>' --no-check-cert # /usr/lib/vmidentity/tools/scripts/lstool.py unregister --url http://localhost:7080/lookupservice/sdk --id 'default-site:e7dc7330-53e8-4655-b58b-6d8a77a879bf' --user 'administrator@vsphere.local' --password <암호>' --no-check-cert # /usr/lib/vmidentity/tools/scripts/lstool.py unregister --url http://localhost:7080/lookupservice/sdk --id 'default-site:aa9c2f15-4665-4780-bbbd-8162089004ba' --user 'administrator@vsphere.local' --password <암호>' --no-check-cert # /usr/lib/vmidentity/tools/scripts/lstool.py unregister --url http://localhost:7080/lookupservice/sdk --id '4655edb3-ddac-4d1b-aded-22f7b3e77d52' --user 'administrator@vsphere.local' --password <암호>' --no-check-cert |
12. 작업을 모두 완료하고 다시 lsdoctor --lscheck 수행 시 보고되는 오류 없는 것을 확인
# python lsdoctor -l
'Compute' 카테고리의 다른 글
| Fails to start vCenter service due to wrong certificate in vCenter 6.5 (0) | 2023.11.13 |
|---|---|
| ESXi host is disconnected due to firewall policy (0) | 2023.09.14 |
| ESXi host was unresponsive due to missing DNS records (0) | 2023.08.29 |
| Resource Group (0) | 2023.08.09 |
| Admission failure filtering from vmkernel.log (0) | 2023.08.09 |
