This knowledge base article is to define the steps tht need to be performed for a passwordless join
1 - Create an AD service account and keytab file
/opt/quest/bin/vastool -u <AD admin> service create <account name>/
OR
/opt/quest/bin/vastool -u <AD admin> service create <account name>/<domain>
For example:
/opt/quest/bin/vastool -u administrator service create saunixjoin/
Service saunixjoin/ created successfully, keytab located at /etc/opt/quest/vas/saunixjoin.keytab.
This will also create an user object in the same OU as the computer object called machinename-<servicename> or if subdomain used subdomain-<servicename>
To see where the computer object is in AD as root run the following command:
/opt/quest/bin/vastool -u host/ info id
This should show you the computer object in AD and its DN includes what OU it is in.
2 - Assign permissions to the service account that was in step above, the account must be able to create and modify computer objects in AD
In my lab I add the account to Enterprise Admin or Domain Admin, however please refer to Microsoft documentation for more granular approach.
Once complete validate that the service account and keytab are working :
/opt/quest/bin/vastool -k <path to keytab> kinit <SERVICE/fdqn>
/opt/quest/bin/vastool auth -S <SERVICE/fdqn>
3 - Copy /etc/opt/quest/vas/<account name>.keytab to somewhere on the machine to be joined if it is not being used on this machine.
4 - Run the join command with the service account and the keytab file:
/opt/quest/bin/vastool -u <service account name> -k <name and path to keytab file> join <yourdomain>
Please note if rejoining a -f must be added after the join. You may also specify other join options for example -c and then an organizational unit structure instead of putting the computer account in the computers OU.
Other useful commands:
1 - Create a kerberos ticket for the service account
/opt/quest/bin/vastool -u <service account name > -k /<path+ name of keytab file> kinit
2 - To list what is in your keytab file:
/opt/quest/bin/vastool ktutil -k <path to keytab file> list
3 - To change a password on a service account and store it in keytab
/opt/quest/bin/vastool -u <adadmin> passwd -k <path to keytab file you wish to create> <service account name>
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center