This is a quick post on how you can reset some of the new hidden service accounts in VCF 9 if they expire. The following link lists some of these accounts and is a good starting point to get an overview:
If you get an error message that SDDC Manager or VCF Operations is unable to connect to vCenter and you see in operationsmanager.log that connections to vCenter failed and a username similar to “svc-sddcmanager-a-vc-mgmt-a-7677” and “The credentials were incorrect or the account specified has been locked”, your service accounts may have expired. These service accounts are located in vCenter but not available in the vSphere Client. One way to reset them is by using the dir-cli command in vCenter.
Examples:
List all service accounts:
/usr/lib/vmware-vmafd/bin/dir-cli svcaccount list --login administrator@vsphere.local --password 'VMware123!VMware123!'
See if a specific service account has expired:
/usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account svc-sddcmanager-a-vc-mgmt-a-7677 --level 2 --login administrator@vsphere.local --password 'VMware123!VMware123!'
Set a specific service account to never expire:
/usr/lib/vmware-vmafd/bin/dir-cli user modify --account svc-sddcmanager-a-vc-mgmt-a-7677 --password-never-expires --login administrator@vsphere.local --password 'VMware123!VMware123!'
Reset the password on a specific service account:
/usr/lib/vmware-vmafd/bin/dir-cli password reset --account svc-sddcmanager-a-vc-mgmt-a-7677 --login administrator@vsphere.local --password 'VMware123!VMware123!'
Set all service accounts to never expire:
for i in $(/usr/lib/vmware-vmafd/bin/dir-cli svcaccount list --login administrator@vsphere.local --password 'VMware123!VMware123!'); do /usr/lib/vmware-vmafd/bin/dir-cli user modify --account $i --password-never-expires --login administrator@vsphere.local --password 'VMware123!VMware123!'; done
List and parse details about all service account to a text file:
for i in $(/usr/lib/vmware-vmafd/bin/dir-cli svcaccount list --login administrator@vsphere.local --password 'VMware123!VMware123!'); do /usr/lib/vmware-vmafd/bin/dir-cli user find-by-name --account $i --level 2 --login administrator@vsphere.local --password 'VMware123!VMware123!' >>temp.txt; done
Check this link on how to retrieve the service accounts credentials from SDDC Manager:
https://knowledge.broadcom.com/external/article/327195/retrieve-the-service-accounts-credential.html
If you don’t find the account you are looking for by following the link above you may try this one:
https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/fleet-management/manage-passwords/look-up-account-credentials-using-the-lookup-password-command.html
If you get an error message that SDDC Manager or VCF Operations is unable to connect to NSX Manager you may have expired service accounts in NSX Manager. These are also not available in the NSX Manager user interface, but they can be managed by following this procedure:
https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/authentication-and-authorization/password-management/resetting-passwords-on-an-appliance.html
Commands like chage and passwd can be used to set the expiry and password for the account.
The steps in this post is not provided by Broadcom so if you have any of these problems in production please call Broadcom Support.
CyberNils.net 