Missing account lockout data for SDDC Manager and vCenter Server on HTML report

[bhumitra]

Code of Conduct

• [X] I have read and agree to the Code of Conduct.
• [X] Vote on this issue by adding a 👍 reaction to the original issue initial description to help the maintainers prioritize.
• [X] Do not leave "+1" or other comments that do not add relevant information or questions.
• [X] If you are interested in working on this issue or have submitted a pull request, please leave a comment.

VMware Cloud Foundation

5.1

PowerShell Version

7.2

PowerCLI Version

13.1

Module Version

1.7

PowerValidatedSolutions Version

1.8

PowerVCF Version

2.7

Guest Operating System

Windows Server 2019

Environment Details

No response

Description

I ran the Invoke-PasswordPolicyManager cmdlet and the report is missing data for account lockout polices. See screenshots Problem with the below items-

• SDDC Manager - Account Lockout
• vCenter Server - Account Lockout (Local Users)

The file where lockout policy resides has changed in VCF 5.1 and above. This change is due to photon OS being upgraded from version 3.0 to 4.0.

The file has changed from /etc/pam.d/system-password to /etc/security/faillock.conf

This change impacts the appliances which were upgraded from Photon OS 3.0 to 4.0 in VCF 5.1 release. i.e. SDDC manager and vCenter server

The individual cmdlets are also returning just the host name, e.g.

PS C:> Request-VcenterAccountLockout -server sfo-vcf01.sfo.rainpole.io -user administrator@vsphere.local -pass ** -domain sfo-m01

System

sfo-m01-vc01

We should also enhance the above cmdlet to show "N/A" as values for parameter which are configurable but not set. e.g. in the above command, we could return Max Failures, Unlock Interval (sec), and Root Unlock Interval (sec) with value as N/A as it is not set in the report and in the command.

Error or Debug Output

See screenshots

Expected Behavior

Should return the policy data.

Actual Behavior

See desc.

Steps to Reproduce

See desc.

Log Fragments and Files

No response

Screenshots

No response

References

No response

[sowjuec]

Hi Bhumitra, This I observed today with ' Request-SDDCManagerPasswordComplexity' cmdlet. This was because the system file '/etc/pam.d/system-password' is not containing any data except history on a fresh setup. After I did update with all the required values and then called Reqeust cmdlet it worked. Attached is the snaphost for reference.

[bhumitra]

@sowjuec the file where lockout policy resides has changed in VCF 5.1 and above. This change is due to photon OS being upgraded from version 3.0 to 4.0.

The file has changed from /etc/pam.d/system-password to /etc/security/faillock.conf

This change impacts the appliances which were upgraded from Photon OS 3.0 to 4.0 in VCF 5.1 release. i.e. SDDC manager and vCenter server

[bhumitra]

After the fix

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.