I received an interesting e-mail yesterday from a check_esxi_wbem user. Prior the release of ESXi 4.1 it was possible to create a read-only user which was used to run the plugin, e.g.:
https://192.168.1.4 someuser somepassword dell
Since the ESXi 4.1 release an error "Authorization failed" is now returned. Here's a work-around, how to use a user which is not root. Note: In any case, using the root-user will still work!
- In the vSphere client select the ESXi host, open "Local Users&Groups" tab
- Add a new user with the following or similar details:
User: nagios, UID: 1001, Name: Nagios User, Password: Test-12345, Add to group root
It is necessary that the password contains at least one capital letter, at least one lower case letter and at least a number. The password has also a minimal and maximum length. If the password is not good, you'll get an error message. And yes, unfortunately it is necessary to add the new user to the group 'root'. The other groups won't work. But that doesn't mean that the new user now has root rights. SSH is per default disabled in ESXi servers and even it it were enabled, the following entry was added into the /etc/passwd file:
And once again, this only affects check_esxi_wbem plugin-users which don't use the root-user to query the vSphere CIM.
Ian Miller from wrote on Aug 15th, 2016:
Just a quick note to say that the method below (adding manually to /etc/group), works for me with a read-only user on ESXi 6.0 u2. Great!
Andreas from wrote on Jun 15th, 2016:
works here on 5.1 with a non-root user and with ReadOnly role:
I added the user manually to the root-group via ssh to the server by editing the /etc/group file:
~ # egrep icinga /etc/passwd
~ # egrep icinga /etc/group
guly from Italy wrote on Mar 27th, 2014:
did anyone configure 5.1 with non-root user?
Leonardo Lage from Brazil wrote on Feb 21st, 2013:
The solution is very simple. You need create user normally. You cant set group, no problem.
goes to permisstion tab, and click add permission.
selece the user you like to grant administration privilegies, and select administrator privilege role.
The best option probably is create a role only with sensors permisions, but I not know to create it yet.
Kim from wrote on Jan 14th, 2013:
vsphere 5.1 does not support localgroup, what is a option to use another user account to query the esxi cim? I do not want to use root user and password on nagios.
Leonardo Lage from Brazil wrote on Dec 26th, 2012:
Now on vsphere 5.1 not have more root group, what is a option to use another user to your plugin check esxi? I not like to use root user and pass on nagios.
Mircea Vutcovici from wrote on Jun 20th, 2011:
The root group is mapped to Administrator role in ESX. This means that nagios user will have access to all operations over ESX server. If you change to a limited role and even to a clone of Administrator role it will not work. It is working only with the built in Administrator role. The group can be any group, but that group must be mapped to Administrator role.
Philippe Barsalou from wrote on Jun 16th, 2011:
Thanks. Solved my issue.
Personal Internet VMware PHP Linux Shell Bluecoat Proxy Windows Hardware Virtualization Nagios MySQL DB Monitoring Mail Android Network Wyse Hacks Tomcat Postgres Apple Mac Backup BSD ZFS Solaris SmartOS Unix Multimedia Perl Database MongoDB CMS OTRS FreeBSD Wordpress LXC Nginx Proxmox DNS Graphics GlusterFS Security Chef HAProxy Icinga Ansible HTML MariaDB Containers Rancher Docker AWS ELK Kibana Logstash Filebeat Varnish PGSQL PostgreSQL ElasticSearch CouchDB Bash Macintosh Container Minio Grafana InfluxDB Databases NFS OSSEC SystemD Java Zoneminder Surveillance Elasticsearch SSL TLS Icingaweb2 Cloud Wireless Kubernetes Ubuntu