To totally unlock this section you need to Log-in
Login
Creating and managing local users using the vCenter Server appliance, which is the first virtual machine hosted on a physical VMware host, on which reside the vCenter service, is a bit different from using vMA or PowerCLI, mainly because it uses a different syntax and commands. Let's see how to create a new local user on vCenter directly; we will need to:
- Enable SSH on your vCenter Server Appliance.
- Now login to your vCenter Server Appliance using a SSH client.
- Create a local user, here’s the command:
useradd vcadmin
Important: Do not use the useraddd.local command.
Assign a password to the just created user.
passwd vcadmin
Using the vSphere Client, login as root to your vCenter Server Appliance: after that you will be able to assign to this new user a custom role, assign it to a VM o directly to a host in your ESX infrastructure.
Select the object on which you want to assign permissions for this user. Go to permissions tab for this object and add permissions for this user. That’s it: test user login and you are done.
If you need to create a root equivalent user, i.e. a vcenter administrator, you will assign the permissions on the vc-inventory-root (datacenters folder).
Note: vCenter Server Appliance, uses PAM libraries for authenticating users. The PAM libraries on vCenter Server Appliance have been configured for strong authentication. Thus if any user has more than 3 continuous failed logins, the user account would be locked.
You can check whether the user account is locked or not by running the following command on the vCenter Server Appliance over SSH login:
pam_tally --user vcadmin
It will echo something like the following:
User vcadmin (1005) has 0
As long the user has 0 (zero), everthing is good, if it is more than 3, the account is locked. To unlock the account, run the following command:
pam_tally --user <username> --reset
If its a AD account, unlock it using the following command:
pam_tally --user username@domainname --reset
By the way, if you need to change the default number allowed failed logins from say 3 to 5, edit the following file and update approriately.
/etc/pam.d/common-auth