Troubleshoot Guest Management for Linux VMs

This article provides information on how to troubleshoot and resolve the issues that can occur when you enable guest management on Arc-enabled VMware vSphere virtual machines.

Troubleshoot issues while enabling Guest Management

Error message: Enabling Guest Management on a domain-joined Linux VM fails with the error message InvalidGuestLogin: Failed to authenticate to the system with the credentials.

Resolution: Before you enable Guest Management on a domain-joined Linux VM using active directory credentials, follow these steps to set the configuration on the VM:

  1. In the SSSD configuration file (typically, /etc/sssd/sssd.conf), add the following under the section for the domain:

    [domain/contoso.com] ad_gpo_map_batch = +vmtoolsd

  2. After making the changes to SSSD configuration, restart the SSSD process. If SSSD is running as a system process, run sudo systemctl restart sssd to restart it.

Additional information

The parameter ad_gpo_map_batch according to the sssd main page:

A comma-separated list of Pluggable Authentication Module (PAM) service names for which GPO-based access control is evaluated based on the BatchLogonRight and DenyBatchLogonRight policy settings.

It's possible to add another PAM service name to the default set by using +service_name or to explicitly remove a PAM service name from the default set by using -service_name. For example, to replace a default PAM service name for this sign in (for example, crond) with a custom PAM service name (for example, my_pam_service), use this configuration:

ad_gpo_map_batch = +my_pam_service, -crond

Default: The default set of PAM service names includes:

  • crond:

    vmtoolsd PAM is enabled for SSSD evaluation. For any request coming through VMware tools, SSSD is invoked since VMware tools use this PAM for authenticating to the Linux Guest VM.

References

Next steps

If you don't see your problem here or you can't resolve your issue, try one of the following channels for support: