Freigeben über


SCOM - Active Directory Run-As account for Linux System Monitoring

I had a recent customer request to use Active Directory Service Accounts as a Linux Monitoring and Agent Maintenance Run-As accounts on a set of domain joined RHEL 6.5 systems. The Service Accounts are in the same domain as the Linux systems.

The AD account had been configured for sudo Elevation per this TechNet article: https://social.technet.microsoft.com/wiki/contents/articles/7375.configuring-sudo-elevation-for-unix-and-linux-monitoring-with-system-center-2012-operations-manager.aspx

The account had also been given the required rights for the Agent Maintenance profile as specified here: ttp://technet.microsoft.com/en-us/library/hh287151.aspx

The issue we found is there was no apparent way to specify domain account when creating a UNIX\Linux Run As Account. When entering the domain and account ie: ‘<domainname>\linuxsvcaccount’ in the username field, we got access denied errors on the systems. Apparently RHEL systems do not know how to process ‘domain1\’. After talking with the Linux system admin we decided to just leave out the domain name and see if it would resolve the actual account name to the domain. This actually worked! We found that the system first looks to see of the run-as account is a local account, when it finds that it does not exist locally it tries to resolve it against Active Directory. As long as the account resolves properly and the account has been given the required rights it will work properly. Just do not specify any domain details when configuring the account in SCOM.

Comments

  • Anonymous
    October 27, 2015
    Thanks for sharing, Nathan! Had to look for this information to get this working in a proper way.