[Freeipa-users] keytab file deleted and sssd not starting

I don't know how but somehow /etc/krb5.keytab was deleted on my ipa server. As a result my sssd service is dead because the keytab file is missing I understand the process to fix this is: 1. kinit admin and provide the password 2. ipa-getkeytab -s <FreeIPA server> -p host/<hostname>@REALM -k <keytab file>. if command #2 is successful you should get a keytab file and you can run systemctl restart sssd and all will be happy again. My problem is that when running command #2 I get an error if I specify -p host/ for the service prinicpal. SASL bind failed invalid credentials failed to bind to server Retrying with pre-4.0 keytab retrieval method... If I specify -p ldap/ I can get it to complete and a keytab gets generated. As a side note I have a bunch of ipa-healthcheck erors but maybe those are mostly related to the fact that sssd is not running and keytab is missing. The affected server is my primary but I do have a replica that is in good heatlh except for one healthcheck issue for dns. Both servers contain the following roles: AD trust agent AD trust controller CA server DNS server The IPA server also has a one way trust established with AD. What is the correct principal to specify? Is it host or ldap or dns or something else?