A couple of days back someone asked me how do we create a local user on the vCenter Server Appliance. So I started to understand how things work for local users on the vCenter Server Aplliance. Well it is pretty simple:
- Enable SSH on your vCenter Server Appliance.
- Now login to your vCenter Server Appliance using a SSH client.
- Create a local user, here’s the command:
Important: Donot use the useraddd.local command.
- Assign a password to the just created user.
- Using the vSphere client, login as root to your vCenter Server Appliance.
- Select the object on which you want to assign permissions for this user. Go to permissions tab for this object and add permissions for this user.
- That’s it.
- Test user login and you are done.
- If you need to create a root equivalent user, i.e. a vcenter administrator. You will assign the permissions on the vc-inventory-root (datacenters folder).
Note: vCenter Server Appliance, uses PAM libraries for authenticating users. The PAM libraries on vCenter Server Appliance have been configured for strong authentication. Thus if any user has more than 3 continuous failed logins, the user account would be locked.
You can check whether the user account is locked or not by running the following command on the vCenter Server Appliance over SSH login:
pam_tally --user vcadmin
It will echo something like the following.
User vcadmin (1005) has 0
As long the user has 0 (zero), everthing is good, if it is more than 3, the account is locked. To unlock the account, run the following command:
pam_tally --user <username> --reset
If its a AD account, unlock it using the following command:
pam_tally --user username@domainname --reset
BTW, if you need to change the default number allowed failed logins from say 3 to 5, edit the following file and update approriately.
Although I have not tested this, I believe one should be able to add local groups in a similar way.