Use this configuration parameter to specify the gMSA (Microsoft group Managed Service Accounts on Windows) that adclient will treat either as Active Directory or Unix user accounts.

adclient.gmsa: <gmsa>

When you specify a gMSA, it is recommended to not use a field or format that uses special characters. Special characters have to be formatted with escape sequences and they're likely to cause errors. For example, if you use CN (CommonName), DisplayName, UPN (UserPrincipalName), those are fine, but samAccountName$ can be problematic because of its use of the $ character.

For each gMSA that you specify, you also need to specify the location where the password is stored using the following format:

<gmsa>.krb5.keytab: <file_path>


adclient.gmsa: serviceXYZ

serviceXYZ.krb5.keytab: /some/secure/location/serviceXYZ.keytab