adclient.gmsa

Use this configuration parameter to specify the gMSA (Microsoft group Managed Service Accounts on Windows) that adclient will treat either as Active Directory or Unix user accounts.

adclient.gmsa: <gmsa>

When you specify a gMSA, it is recommended to not use a field or format that uses special characters. Special characters have to be formatted with escape sequences and they're likely to cause errors. For example, if you use CN (CommonName), DisplayName, UPN (UserPrincipalName), those are fine, but samAccountName$ can be problematic because of its use of the $ character.

For each gMSA that you specify, you also need to specify the location where the password is stored using the following format:

<gmsa>.krb5.keytab: <file_path>

Example:

adclient.gmsa: serviceXYZ

serviceXYZ.krb5.keytab: /some/secure/location/serviceXYZ.keytab

Use this configuration parameter to control the realm of the UPN principal in the keytab file for each gMSA.

<gmsa>.krb5.keytab.upn.realm

Possible values for <gmsa>.krb5.keytab.upn.realm:

• strict: This value sets the realm of the UPN principal in the keytab filr to be the same as the realm of the UPN in Active Directory.

• uppercase: This value sets the realm of the UPN principal in the keytab file to be in uppercase.