VMware Cloud Community
RobMokkink
Expert
Expert
Jump to solution

ktpass necessary

I use ad authentication on the vMA. The sudoers file is modified so a particular AD group can perform sudo actions. We don't want to use the vi-admin unless necessary.

On the ESXi severs Ad authentication is configured etc.

I created a service account with the necessary rights on all the ESXi servers and vCenter.

When we add servers to the vMA i specify the domain service account.

Administrative tasks are all performed with our own accounts and not with vi-admin account.

Is it still necessary to renew the kerberos tickets then? Or can i forget the service account completely?

Thanks in advance.

Reply
0 Kudos
1 Solution

Accepted Solutions
lamw
Community Manager
Community Manager
Jump to solution

Per the vMA documentation on pg 15 it states the following:

To configure unattended authentication (authentication from vi‐admin or root context) to Active Directory

targets, you must renew the Kerberos tickets for the domain user using which the target is added.

It sounds like you're just relying on adauth for your users, so the account that you actually use to add the targets is not really relevant in this context so long as it has the right permission if I'm understanding you correctly. You only need a kerberos ticket if you plan on using vi-admin/root user to perform unattended authentication to your AD, which it does not sound like you're doing in your case.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

View solution in original post

Reply
0 Kudos
2 Replies
lamw
Community Manager
Community Manager
Jump to solution

Per the vMA documentation on pg 15 it states the following:

To configure unattended authentication (authentication from vi‐admin or root context) to Active Directory

targets, you must renew the Kerberos tickets for the domain user using which the target is added.

It sounds like you're just relying on adauth for your users, so the account that you actually use to add the targets is not really relevant in this context so long as it has the right permission if I'm understanding you correctly. You only need a kerberos ticket if you plan on using vi-admin/root user to perform unattended authentication to your AD, which it does not sound like you're doing in your case.

=========================================================================

William Lam

VMware vExpert 2009,2010

VMware scripts and resources at:

Twitter: @lamw

Getting Started with the vMA (tips/tricks)

Getting Started with the vSphere SDK for Perl

VMware Code Central - Scripts/Sample code for Developers and Administrators

VMware Developer Community

If you find this information useful, please award points for "correct" or "helpful".

Reply
0 Kudos
RobMokkink
Expert
Expert
Jump to solution

The doc is correct. I did some tests and when using adauth it doesn't matter which account adds the server to the vMA.

I also did some tests with the keytab which i created with ktpass, but it doesn't work right. After some searching i found this problem occurs a lot.

Reply
0 Kudos