Users will sometimes come across the need to have vastool commands executed in scripts, cronjobs and others. The optimal situation is to have vastool running without the need to enter any password password interactively.
If "-u" is not used, then vastool will authenticate as the calling user, and will attempt to reuse Kerberos tickets from the user's credentials cache. If "-u" is specified, then no existing credentials cache will be used, and new tickets obtained will not be saved to disk.
In all VAS deployments, root will be a local account. ( VAS does not allow uid 0 for any served users ) Usually when executing commands as root, there will be no existing Kerberos tickets to be used for that command execution, making the use of "-u" a requirement.
When the VAS client joins the domain, a computer object is created. That computer object has the privilege to obtain certain information from the Active Directory DC and perform specific tasks. It is used by the vasd process to load and maintain the local cache of AD information, and also act as the service for authentications to the machine. The key tab file ( allows access to the computer object ) is set to readable only by root, so normal users cannot use it for AD queries.
This account can be used by root ( or anyone given access ) to authenticate to AD for ldap queries.
This becomes very useful for automating data queries and specific commands execution against AD.
It is used by specifying the key word 'host/' as the user, as so:
/opt/quest/bin/vastool -u host/ <cmd> <options>
host/ is actually a shorthand to the SPN (servicePrincipalName) attribute of the computer object, in the format: host/<computer fqdn>@<domain>.
VAS automatically fills in the other portions of the SPN, allowing all computers to specify 'host/', but end up using their individual accounts.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center