Troubleshoot Guest Management for Linux VMs
Caution
This article references CentOS, a Linux distribution that is nearing End Of Life (EOL) status. Please consider your use and planning accordingly. For more information, see the CentOS End Of Life guidance.
This article provides information on how to troubleshoot and resolve the issues that can occur while you enable guest management on Arc-enabled VMware vSphere virtual machines.
Troubleshoot issues while enabling Guest Management on a domain-joined Linux VM
Error message: Enabling Guest Management on a domain-joined Linux VM fails with the error message InvalidGuestLogin: Failed to authenticate to the system with the credentials.
Resolution: Before you enable Guest Management on a domain-joined Linux VM using active directory credentials, follow these steps to set the configuration on the VM:
In the SSSD configuration file (typically, /etc/sssd/sssd.conf), add the following under the section for the domain:
[domain/contoso.com] ad_gpo_map_batch = +vmtoolsd
After making the changes to SSSD configuration, restart the SSSD process. If SSSD is running as a system process, run
sudo systemctl restart sssd
to restart it.
Additional information
The parameter ad_gpo_map_batch
according to the sssd main page:
A comma-separated list of Pluggable Authentication Module (PAM) service names for which GPO-based access control is evaluated based on the BatchLogonRight and DenyBatchLogonRight policy settings.
It's possible to add another PAM service name to the default set by using +service_name or to explicitly remove a PAM service name from the default set by using -service_name. For example, to replace a default PAM service name for this sign in (for example, crond) with a custom PAM service name (for example, my_pam_service), use this configuration:
ad_gpo_map_batch = +my_pam_service, -crond
Default: The default set of PAM service names includes:
crond:
vmtoolsd
PAM is enabled for SSSD evaluation. For any request coming through VMware tools, SSSD is invoked since VMware tools use this PAM for authenticating to the Linux Guest VM.
References
Troubleshoot issues while enabling Guest Management on RHEL-based Linux VMs
Applies to:
- RedHat Linux
- CentOS
- Rocky Linux
- Oracle Linux
- SUSE Linux
- SUSE Linux Enterprise Server
- Alma Linux
- Fedora
Error message: Provisioning of the resource failed with Code: AZCM0143
; Message: install_linux_azcmagent.sh: installation error
.
Workaround
Before you enable the guest agent, follow these steps on the VM:
Create file
vmtools_unconfined_rpm_script_kcs5347781.te
using the following:policy_module(vmtools_unconfined_rpm_script_kcs5347781, 1.0) gen_require(
type vmtools_unconfined_t; ') optional_policy(rpm_transition_script(vmtools_unconfined_t,system_r) ')
Install the package to build the policy module:
sudo yum -y install selinux-policy-devel
Compile the module:
make -f /usr/share/selinux/devel/Makefile vmtools_unconfined_rpm_script_kcs5347781.pp
Install the module:
sudo semodule -i vmtools_unconfined_rpm_script_kcs5347781.pp
Additional information
Track the issue through [BZ 1872245 - VMware][RHEL 8] vmtools is not able to install rpms.
Upon executing a command using vmrun
command, the context of the yum
or rpm
command is vmtools_unconfined_t
.
Upon yum
or rpm
executing scriptlets, the context is changed to rpm_script_t
, which is currently denied because of the missing rule in the SELinux policy.
References
Next steps
If you don't see your problem here or you can't resolve your issue, try one of the following channels for support:
Get answers from Azure experts through Microsoft Q&A.
Connect with @AzureSupport, the official Microsoft Azure account for improving customer experience. Azure Support connects the Azure community to answers, support, and experts.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for