1- Ensure QAS is in a healthy state
Kerberos needs the system time to be synchronized if there is a time skew error it will show in the output of the vastool status command as a failure. To time sync the QAS machine run the command: /opt/quest/bin/vastool timesync
2 - Find out the service account name and keytab file that is being used.
/opt/quest/bin/vastool -u host/ attrs -q <service>/ sAMAccountName for example:
/opt/quest/bin/vastool -u host/ attrs -q SAP/ sAMAccountName
3 - Validate that we can auth as the service account ad that we can get tickets.
/opt/quest/bin/vastool kinit -u <service account> -k <path> kinit -S sevice/...
4 - Check url's to make sure that all possible access points are covered by an spn
To list what is in your keytab file: vastool ktutil -k <path to keytab file > list
5 - Changing the password on the service account and storing a hash of it in the keytab file.
/opt/quest/bin/vastool -u < service account> -w <password> passwd -r -o -k <path to keytab file you wish to create> -e <service account name>
-r says to create a random password.
-o tells us to output the new password to the screen.
-k is store in the keytab file. we recommend storing in /etc/opt/quest/vas/<serviceacct name>.keytab