“Unable to expire password for root” – Debian 9 in vCloud Director

Debian 9 was released on 17th of June 2017, and for me, it was not only the information about the arriving upgrades. Also, it was the sign of the new vCloud Director template. I started making it on Monday, and I faced the problem with customization. Of course, I used Open-VM-Tools because I try to use them everywhere. I had many problems with customization, but it was the first time when I had a problem with password customization on a Linux guest OS – I got “unable to expire password for root” error. Fortunately, I took one look at the open-vm-tools code and found the solution. It seems that the Internet has no resolution yet, what is very interesting.

Symptoms of “unable to expire password for root”

Your environment:

  • vCloud Director (I assume it doesn’t matter which version)
  • Debian 9 as the guest OS
  • open-vm-tools installed on Debian

If your customization doesn’t work, you should – as always – check logs, which are stored in /var/log/vmware-imc/toolsDeployPkg.log. If you find here something similar to the following snippet:

you know that you’re home. 🙂 The most important is the 9th line, which informs you that script has encountered the error: “Unable to expire password for root users OR set password for root user”.

How it is supposed to look like:

How to resolve this issue?

In my case resolution was to change the /etc/pam.d/vmtoolsd file with the correct parameters. When you check the GitHub repository of the open-vm-tools project, you find the following code:

After the system installation this file was empty, hence customization could not work properly. I think open-vm-tools should complete this file during the customization (I have exactly the same version as in the repository on the other Linux OSes), but for some reason, it didn’t happen. After I added those lines, customization has started to work.

2 Replies to ““Unable to expire password for root” – Debian 9 in vCloud Director”

  1. Hi,
    I am currently facing the problem with deploying and reseting root password on Debian 9.
    Log says:
    INFO: Handling password settings …
    INFO: Changing the password…
    DEBUG: Command: ‘/bin/cp -f /etc/shadow /etc/shadow.copy’
    DEBUG: Result:
    DEBUG: Exit Code: 0
    INFO: password utils
    DEBUG: Command: ‘**************’
    DEBUG: Exit Code: 512
    ERROR: Fatal error occoured during customization !! Customization halted.
    ERROR: Error : Unable to expire password for root users OR set password for root user at /tmp/.vmware-imgcust-dfw6Woo/scripts/Customization.pm line 972.

    INFO: Get Tools Daemon Command Line
    DEBUG: Command: ‘ps -C vmtoolsd -o cmd=’
    DEBUG: Result: /usr/bin/vmtoolsd

    DEBUG: Exit Code: 0
    DEBUG: Command: ‘/usr/bin/vmtoolsd –cmd “info-set guestinfo.gc.status Unable to expire password for root users OR set password for root user at /tmp/.vmware-imgcust-dfw6Woo/scripts/Customization.pm line 972.
    “‘
    DEBUG: Result:

    DEBUG: Exit Code: 0
    INFO: Return code is 248.

    Customization process returned with error.

    Deployment result = 248

    Setting generic error status in vmx.

    This is how the vmtoolsd looks:
    # PAM configuration for vmtoolsd
    #%PAM-1.0
    auth required pam_shells.so
    auth sufficient pam_unix.so shadow
    auth required pam_unix_auth.so shadow
    account required pam_shells.so
    account sufficient pam_unix.so
    account required pam_unix_acct.so

    We are running open-vm-tools:
    open-vm-tools 2:10.1.5-5055683-4+deb9u1

    Do you have any suggestions what the problem can be?
    Thank you very much.

    Martin

    1. Hi, Martin!

      Unfortunately, I am not able to help you – your pamd configuration looks fine, so it should work (in theory). I don’t have any lab, because I don’t work with VMware anymore, so I even cannot try to reproduce your problem. 🙁 I suggest opening an issue https://github.com/vmware/open-vm-tools/issues. Hope they will be able to help you!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.