Bug 1172693 - [RC3 vmtools 11.1.0 guestops] authentication failed when querying Guest User Mappings via VCenter
[RC3 vmtools 11.1.0 guestops] authentication failed when querying Guest User ...
Status: RESOLVED FIXED
Classification: SUSE Linux Enterprise Server
Product: Public Beta SUSE Linux Enterprise Server 15 SP2
Classification: SUSE Linux Enterprise Server
Component: Virtualization:Tools
Public RC2
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Kirk Allan
Antoine Ginies
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-09 02:52 UTC by vmware gos
Modified: 2020-10-16 09:51 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
kallan: needinfo? (vmware-gos-qa)


Attachments
Authentication failed when quering Guest User Mapping (41.73 KB, image/png)
2020-06-09 02:52 UTC, vmware gos
Details

Note You need to log in before you can comment on or make changes to this bug.
Description vmware gos 2020-06-09 02:52:40 UTC
Created attachment 838605 [details]
Authentication failed when quering Guest User Mapping

vmtools 11.1.0 is installed together with SLES15SP2 RC3.

After RC3 installed, try to query "Guest User Mappings" from VCenter, after  type root and password, click enter, authentication error prompt, see attached screenshot. 

Following log is recorded in /var/log/messages in RC3 OS, which says that username and password mismatch for 'root', while actual correct password for root are given.

2020-06-05T04:22:56.128323+02:00 gosc-dhcp-vm-01 VGAuth[1209]: pam_securetty(vmtoolsd:auth): cannot determine user's tty
2020-06-05T04:22:56.128578+02:00 gosc-dhcp-vm-01 VGAuth[1209]: gkr-pam: unable to locate daemon control file
2020-06-05T04:22:58.351510+02:00 gosc-dhcp-vm-01 VGAuth[1209]: vmtoolsd: Username and password mismatch for 'root'.

VMware engineer is working in this issue.


-VMWare GOS QA
Comment 1 vmware gos 2020-06-11 07:47:13 UTC
I did some guestops test, guestops works well with rpm ovt version 11.1.0 on SLES15SP2 PublicRC2 and rpm ovt version 11.2.0 on SLES15SP2RC3.
Seems that there is something wrong when packaging 11.1.0 tools into SLE15SP2RC3.

Details:
1. Install 11.1.0(http://build-squid.eng.vmware.com/build/mts/release/bora-16036546/publish/packages/packages
/sles-15/x86_64) rpm tools on SLES15SP2 PublicRC2(bundled OVT version is 11.0.5)
Query "Guest User Mapping" from VCenter UI and it success. This OVT 11.1.0 version is same with bundled tools version in SLES15SP2 RC3.


2. Install 11.2.0 (http://build-squid.eng.vmware.com/build/mts/release/bora-16319214/publish/packages/packages/sles-15/x86_64) rpm tools on SLES15SP2 RC3(bundled OVT version is 11.1.0)
 Query "Guest User Mapping" from VCenter UI and it success


-VMWare GOS QA
Comment 2 vmware gos 2020-06-11 09:24:45 UTC
I install rpm tools 11.1.0 on SLES 15SP2 RC3, guestops work well.
command: zypper --no-gpg-checks in -y http://build-squid.eng.vmware.com/build/storage61/release/bora-16036546/publish/packages/packages/sles-15/x86_64/open-vm-tools-11.1.0-0.16036546.x86_64.rpm

This is the content of /etc/pam.d/vmtoolsd installed with built-in open-vm-tools 11.1.0 in SLES 15 SP2 RC3
# cat /etc/pam.d/vmtoolsd 
#%PAM-1.0
auth     required       pam_shells.so
auth     requisite      pam_nologin.so
auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]    pam_securetty.so
auth     include        common-auth
account  include        common-account
 
This is the content of /etc/pam.d/vmtoolsd installed with our docker-build open-vm-tools 11.1.0
# cat /etc/pam.d/vmtoolsd 
#%PAM-1.0
auth       required         pam_shells.so
auth       sufficient       pam_unix.so shadow
auth       required         pam_unix_auth.so shadow
account    required         pam_shells.so
account    sufficient       pam_unix.so
account    required         pam_unix_acct.so


Line 'auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]    pam_securetty.so' in /etc/pam.d/vmtoolsd cause guestops failure.

-VMware GOS QA
Comment 4 Kirk Allan 2020-06-15 15:32:51 UTC
Is the patch from Bug 1171003 causing this problem?
Comment 5 Kirk Allan 2020-06-15 15:42:13 UTC
(In reply to vmware gos from comment #2)
> I install rpm tools 11.1.0 on SLES 15SP2 RC3, guestops work well.
> command: zypper --no-gpg-checks in -y
> http://build-squid.eng.vmware.com/build/storage61/release/bora-16036546/
> publish/packages/packages/sles-15/x86_64/open-vm-tools-11.1.0-0.16036546.
> x86_64.rpm
> 

The /etc/pam.d/vmtoolsd below was changed as requested by bug 1171003.

> This is the content of /etc/pam.d/vmtoolsd installed with built-in
> open-vm-tools 11.1.0 in SLES 15 SP2 RC3
> # cat /etc/pam.d/vmtoolsd 
> #%PAM-1.0
> auth     required       pam_shells.so
> auth     requisite      pam_nologin.so
> auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die
> default=bad]    pam_securetty.so
> auth     include        common-auth
> account  include        common-account
>  
> This is the content of /etc/pam.d/vmtoolsd installed with our docker-build
> open-vm-tools 11.1.0
> # cat /etc/pam.d/vmtoolsd 
> #%PAM-1.0
> auth       required         pam_shells.so
> auth       sufficient       pam_unix.so shadow
> auth       required         pam_unix_auth.so shadow
> account    required         pam_shells.so
> account    sufficient       pam_unix.so
> account    required         pam_unix_acct.so
> 
> 
> Line 'auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die
> default=bad]    pam_securetty.so' in /etc/pam.d/vmtoolsd cause guestops
> failure.

Do you want the entire patch from bug 1171003 removed?

Do you just want the:
 'auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]    pam_securetty.so' 

line removed?

> 
> -VMware GOS QA
Comment 7 Kirk Allan 2020-06-17 18:08:34 UTC
Removed line 'pam_securetty.so' from the pam patch from bug 1171003 and submitted.
Comment 10 vmware gos 2020-06-26 13:30:38 UTC
Hello Kirk Allan,

SLE15SP2 Internal GM is announced yesterday, this Gold Master ISOs are identical to Gold Master Candidate ISOs. Seems this build is the last build as And The fix of this PR is not in this Internal GM.

So I wonder which build will contain the fix. If this fix is not in the final 15SP2 Release build, guestops will not work and then VGAuth will not work, which will cause big issues. So It's better this fix would be integrated ASAP into following new 15SP2 build and the last build.

Thanks,
VMWare GOS QA
Comment 11 Kirk Allan 2020-06-26 14:03:45 UTC
(In reply to vmware gos from comment #10)
> Hello Kirk Allan,
> 
> SLE15SP2 Internal GM is announced yesterday, this Gold Master ISOs are
> identical to Gold Master Candidate ISOs. Seems this build is the last build
> as And The fix of this PR is not in this Internal GM.
> 
> So I wonder which build will contain the fix. If this fix is not in the
> final 15SP2 Release build, guestops will not work and then VGAuth will not
> work, which will cause big issues. So It's better this fix would be
> integrated ASAP into following new 15SP2 build and the last build.
> 
> Thanks,
> VMWare GOS QA

The fix was submitted to SLES 15 SP2 on 6/17/2020.  It is hoped that the new packages will be in the maintenance channel by the time 15 SP2 is available.
Comment 12 vmware gos 2020-06-27 01:58:30 UTC
There is a KB about how to configure vmtoolsd to use common authentication mechanism using PAM (78251):
https://kb.vmware.com/s/article/78251

-VMware GOS QA
Comment 13 vmware gos 2020-06-29 02:23:58 UTC
Hello Allen,

Do you mean that this fix would be not in future SLE15SP2 official build and Only registered VM could get this fix across the maintenance channel after SLE15SP2 is released? 

-VMWare GOS QA
Comment 14 Kirk Allan 2020-06-29 14:09:02 UTC
(In reply to vmware gos from comment #12)
> There is a KB about how to configure vmtoolsd to use common authentication
> mechanism using PAM (78251):
> https://kb.vmware.com/s/article/78251
> 

Yes, this KB article was use to configure the vmtoolsd common authentication.  However, when bug 1171003 was first entered, it contained the offending line that caused the issue.  I see that he KB has since been updated to not include the offending line.  We have likewise updated the patch to not include the offending line.

> -VMware GOS QA
Comment 15 Kirk Allan 2020-06-29 14:41:08 UTC
(In reply to vmware gos from comment #13)
> Hello Allen,
> 
> Do you mean that this fix would be not in future SLE15SP2 official build and
> Only registered VM could get this fix across the maintenance channel after
> SLE15SP2 is released? 
> 

Due to the unfortunate timing of the incorrect information in the KB used to create the patch for bug 1171003, the discovery of the bad line in the KB that caused this bug, the release schedule of 15SP2, and the submittal of the fix, the fix will only be available in the maintenance channel util it gets rolled into the quarterly 15PS2 updated media.

> -VMWare GOS QA
Comment 16 Antoine Ginies 2020-06-30 07:57:16 UTC
The fix will be available in the maintenance channel, and it should be available for FCS (so at SLE15SP2 launch).
Comment 17 Swamp Workflow Management 2020-07-15 13:21:32 UTC
SUSE-RU-2020:1916-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    open-vm-tools-11.1.0-4.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    open-vm-tools-11.1.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-07-15 13:22:34 UTC
SUSE-RU-2020:1917-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    open-vm-tools-11.1.0-4.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-07-17 19:14:15 UTC
SUSE-RU-2020:1951-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    open-vm-tools-11.1.0-3.17.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    open-vm-tools-11.1.0-3.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2020-07-18 22:16:46 UTC
openSUSE-RU-2020:0995-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
openSUSE Leap 15.2 (src):    open-vm-tools-11.1.0-lp152.3.3.1
Comment 21 Swamp Workflow Management 2020-07-23 10:21:12 UTC
openSUSE-RU-2020:1038-1: An update that has four recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1171003,1171764,1171765,1172693
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    open-vm-tools-11.1.0-lp151.2.15.1
Comment 22 Kirk Allan 2020-08-03 14:38:34 UTC
The fix should now be available in TW and SLES maintenance channels.
Comment 23 vmware gos 2020-10-16 09:51:17 UTC
This issue can be closed.

The fix has been verified.

pek2-gosv-16-dhcp27:~ # vmtoolsd -v
VMware Tools daemon, version 11.1.5.22735 (build-16724464)
pek2-gosv-16-dhcp27:~ # cat /etc/pam.d/vmtoolsd
#%PAM-1.0
auth     required       pam_shells.so
auth     requisite      pam_nologin.so
auth     include        common-auth
account  include        common-account
pek2-gosv-16-dhcp27:~ # cat /etc/os-release
NAME="SLES"
VERSION="15-SP2"
VERSION_ID="15.2"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP2"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp2"


BRs,
VMWare GOSV QE