I use ad authentication on the vMA. The sudoers file is modified so a particular AD group can perform sudo actions. We don't want to use the vi-admin unless necessary.
On the ESXi severs Ad authentication is configured etc.
I created a service account with the necessary rights on all the ESXi servers and vCenter.
When we add servers to the vMA i specify the domain service account.
Administrative tasks are all performed with our own accounts and not with vi-admin account.
Is it still necessary to renew the kerberos tickets then? Or can i forget the service account completely?
Thanks in advance.
Per the vMA documentation on pg 15 it states the following:
To configure unattended authentication (authentication from vi‐admin or root context) to Active Directory
targets, you must renew the Kerberos tickets for the domain user using which the target is added.
It sounds like you're just relying on adauth for your users, so the account that you actually use to add the targets is not really relevant in this context so long as it has the right permission if I'm understanding you correctly. You only need a kerberos ticket if you plan on using vi-admin/root user to perform unattended authentication to your AD, which it does not sound like you're doing in your case.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
Per the vMA documentation on pg 15 it states the following:
To configure unattended authentication (authentication from vi‐admin or root context) to Active Directory
targets, you must renew the Kerberos tickets for the domain user using which the target is added.
It sounds like you're just relying on adauth for your users, so the account that you actually use to add the targets is not really relevant in this context so long as it has the right permission if I'm understanding you correctly. You only need a kerberos ticket if you plan on using vi-admin/root user to perform unattended authentication to your AD, which it does not sound like you're doing in your case.
=========================================================================
William Lam
VMware vExpert 2009,2010
VMware scripts and resources at:
Getting Started with the vMA (tips/tricks)
Getting Started with the vSphere SDK for Perl
VMware Code Central - Scripts/Sample code for Developers and Administrators
If you find this information useful, please award points for "correct" or "helpful".
The doc is correct. I did some tests and when using adauth it doesn't matter which account adds the server to the vMA.
I also did some tests with the keytab which i created with ktpass, but it doesn't work right. After some searching i found this problem occurs a lot.