title | description | ms.topic | ms.date | ms.service | ms.subservice | ms.custom | author | ms.author | manager |
---|---|---|---|---|---|---|---|---|---|
Troubleshoot Guest Management Issues |
Learn about how to troubleshoot the guest management issues for Arc-enabled VMware vSphere. |
reference |
11/06/2023 |
azure-arc |
azure-arc-vmware-vsphere |
linux-related-content |
Farha-Bano |
v-farhabano |
jsuri |
Caution
This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
This article provides information on how to troubleshoot and resolve the issues that can occur while you enable guest management on Arc-enabled VMware vSphere virtual machines.
Error message: Enabling Guest Management on a domain-joined Linux VM fails with the error message InvalidGuestLogin: Failed to authenticate to the system with the credentials.
Resolution: Before you enable Guest Management on a domain-joined Linux VM using active directory credentials, follow these steps to set the configuration on the VM:
-
In the SSSD configuration file (typically, /etc/sssd/sssd.conf), add the following under the section for the domain:
[domain/contoso.com] ad_gpo_map_batch = +vmtoolsd
-
After making the changes to SSSD configuration, restart the SSSD process. If SSSD is running as a system process, run
sudo systemctl restart sssd
to restart it.
The parameter ad_gpo_map_batch
according to the sssd main page:
A comma-separated list of Pluggable Authentication Module (PAM) service names for which GPO-based access control is evaluated based on the BatchLogonRight and DenyBatchLogonRight policy settings.
It's possible to add another PAM service name to the default set by using +service_name or to explicitly remove a PAM service name from the default set by using -service_name. For example, to replace a default PAM service name for this sign in (for example, crond) with a custom PAM service name (for example, my_pam_service), use this configuration:
ad_gpo_map_batch = +my_pam_service, -crond
Default: The default set of PAM service names includes:
-
crond:
vmtoolsd
PAM is enabled for SSSD evaluation. For any request coming through VMware tools, SSSD is invoked since VMware tools use this PAM for authenticating to the Linux Guest VM.
Applies to:
- RedHat Linux
- CentOS
- Rocky Linux
- Oracle Linux
- SUSE Linux
- SUSE Linux Enterprise Server
- Alma Linux
- Fedora
Error message: Provisioning of the resource failed with Code: AZCM0143
; Message: install_linux_azcmagent.sh: installation error
.
Workaround
Before you enable the guest agent, follow these steps on the VM:
-
Create file
vmtools_unconfined_rpm_script_kcs5347781.te
using the following:policy_module(vmtools_unconfined_rpm_script_kcs5347781, 1.0) gen_require(
type vmtools_unconfined_t; ') optional_policy(rpm_transition_script(vmtools_unconfined_t,system_r) ')
-
Install the package to build the policy module:
sudo yum -y install selinux-policy-devel
-
Compile the module:
make -f /usr/share/selinux/devel/Makefile vmtools_unconfined_rpm_script_kcs5347781.pp
-
Install the module:
sudo semodule -i vmtools_unconfined_rpm_script_kcs5347781.pp
Track the issue through BZ 1872245 - [VMware][RHEL 8] vmtools is not able to install rpms.
Upon executing a command using vmrun
command, the context of the yum
or rpm
command is vmtools_unconfined_t
.
Upon yum
or rpm
executing scriptlets, the context is changed to rpm_script_t
, which is currently denied because of the missing rule in the SELinux policy.
If you don't see your problem here or you can't resolve your issue, try one of the following channels for support:
-
Get answers from Azure experts through Microsoft Q&A.
-
Connect with @AzureSupport, the official Microsoft Azure account for improving customer experience. Azure Support connects the Azure community to answers, support, and experts.