Recently I had a couple of customers experience the same issue where they were unable to log into an ESXi host using AD credentials. Either the SSH session terminated unexpectedly after entering the password or the error received was “Invalid user name or credentials.”
We noticed that the “Trusted Domain Controllers” were not populating correctly, or were blank.
After enabling likewise logging on the hypervisor following KB 1026554 we were able to see the following log messages:
netlogond.log DEBUG:0x60140b70: Error code: 40121 (symbol: LW_ERROR_DOMAIN_IS_OFFLINE) 0xff942b70:DEBUG:[LWNetGetPreferredDcList()] Error at /build/mts/release/bora-2286303/likewise/esxi-esxi/src/linux/netlogon/server/api/lwnet-plugin.c:201 [code: 2453] 0xffdb6b90:ERROR:[LWNetDnsQueryWithBuffer() /build/mts/release/bora-1474033/likewise/esxi-esxi/src/linux/netlogon/utils/lwnet-dns.c:1185] DNS lookup for '_ldap._tcp.EDIS._sites.dc._msdcs.parent.vcloud.local' failed with errno 0, h_errno = 1
lsassd.log ld/mts/release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:1308] Do not know about domain 'PARENT.VCLOUD.LOCAL' ld/mts/release/bora-1028347/likewise/esxi-esxi/src/linux/lsass/server/auth-providers/ad-provider/lsadm_p.c:2419] Error code: 40044 (symbol: LW_ERROR_NO_SUCH_DOMAIN) ()
We finally determined that the netlogond service could not contact the domain through a chosen domain controller. The likewise service will use CLDAP pings to choose the best domain controller to be contacted by the ESXi host to obtain Active Directory user and group information. If the chosen domain controller is unable to contact a domain containing a group in which the user is a part of, you will encounter the symptoms listed above.
In our case, the customer was part of a group in a different domain, and when likewise tried to get the group membership from the user, it failed.
To resolve this issue, you can specify one or more Active Directory Preferred Domain Controllers in Advanced Settings. You can either specify this using the FQDN or the IP, whatever your preference is, it does not make a difference.
After setting your preferred domain controller(s), you should be able to rejoin the ESXi host to active directory and see all of your “Trusted Domain Controllers” populated In Authentication Services. VMware is still investigating this issue at this time, but this workaround should sufficiently allow you to authenticate with domain credentials to an ESXi host if you were experiencing these symptoms.