We have three different Windows domains. We have a user to monitor infraestructure, let’s say ‘Monitor’, defined in all three domains. Password for this user is different in every domain.
According to this article (https://docs.centreon.com/pp/integrations/plugin-packs/getting-started/how-to-guides/windows-winrm-wsman-tutorial/#configure-kerberos-on-the-centreon-server), when configuring pollers you create a file called Monitor@keytab ‘to allow reconnection without a password for the reinitialization part’.
However, If I repeat the process for every domain, I will rewrite the same file three times. How do I have to do when configuring three different domains with the same user? Do I have to use different users? Can I follow the configuration process you suggest using @USERNAME@+@DOMAINNAME@ when you tell to use @USERNAME@? Will the ‘realm’ command work fine repeating it for the three domains? I’m not sure about if all commands will work properly.
Can you tell me how to do it?
Best answer by tpo76View original
I hope you’re doing well
As the plugin only uses system configuration to proceed to the authentication, this falls under the Kerberos limitation.
From what I read in the Kerberos documentation, it doesn’t look like Kerberos can handle multiple authentication tickets simultaneously to make it work with several domains.
At least not without tweaking a bunch of configurations.
I don’t have several domain configure in my lab to properly test it, unfortunatly.
So the easiest workaround, from my perspective, is to have dedicated pollers for each domain you need to monitor.
Each Centreon server will be linked with a different domain, and the plugin must be able to get its own authentication ticket from the domain controller.
I understand the disadvantage/pain of setting up a poller (in your case at least 2 extra poller) only for that purpose, but that is the only way I'm very confident about.
Thanks for the answer. So bad news for us. It makes it more complicated…
Anyway, now it is clear.