This article was written in October 2010 for ESXi 4.1. Please refer to the newer article using check_esxi_hardware with non-root user in ESXi 8.
I received an interesting e-mail yesterday from a check_esxi_wbem user. Prior the release of ESXi 4.1 it was possible to create a read-only user which was used to run the plugin, e.g.:
https://192.168.1.4 someuser somepassword dell
Since the ESXi 4.1 release an error "Authorization failed" is now returned. Here's a work-around, how to use a user which is not root. Note: In any case, using the root-user will still work!
- In the vSphere client select the ESXi host, open "Local Users&Groups" tab
- Add a new user with the following or similar details:
User: nagios, UID: 1001, Name: Nagios User, Password: Test-12345, Add to group root
It is necessary that the password contains at least one capital letter, at least one lower case letter and at least a number. The password has also a minimal and maximum length. If the password is not good, you'll get an error message. And yes, unfortunately it is necessary to add the new user to the group 'root'. The other groups won't work. But that doesn't mean that the new user now has root rights. SSH is per default disabled in ESXi servers and even it it were enabled, the following entry was added into the /etc/passwd file:
And once again, this only affects check_esxi_wbem plugin-users which don't use the root-user to query the vSphere CIM.
Ian Miller from wrote on Aug 15th, 2016:
Just a quick note to say that the method below (adding manually to /etc/group), works for me with a read-only user on ESXi 6.0 u2. Great!
Andreas from wrote on Jun 15th, 2016:
works here on 5.1 with a non-root user and with ReadOnly role:
I added the user manually to the root-group via ssh to the server by editing the /etc/group file:
~ # egrep icinga /etc/passwd
~ # egrep icinga /etc/group
guly from Italy wrote on Mar 27th, 2014:
did anyone configure 5.1 with non-root user?
Leonardo Lage from Brazil wrote on Feb 21st, 2013:
The solution is very simple. You need create user normally. You cant set group, no problem.
goes to permisstion tab, and click add permission.
selece the user you like to grant administration privilegies, and select administrator privilege role.
The best option probably is create a role only with sensors permisions, but I not know to create it yet.
Kim from wrote on Jan 14th, 2013:
vsphere 5.1 does not support localgroup, what is a option to use another user account to query the esxi cim? I do not want to use root user and password on nagios.
Leonardo Lage from Brazil wrote on Dec 26th, 2012:
Now on vsphere 5.1 not have more root group, what is a option to use another user to your plugin check esxi? I not like to use root user and pass on nagios.
Mircea Vutcovici from wrote on Jun 20th, 2011:
The root group is mapped to Administrator role in ESX. This means that nagios user will have access to all operations over ESX server. If you change to a limited role and even to a clone of Administrator role it will not work. It is working only with the built in Administrator role. The group can be any group, but that group must be mapped to Administrator role.
Philippe Barsalou from wrote on Jun 16th, 2011:
Thanks. Solved my issue.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder