I don't know how but somehow /etc/krb5.keytab was deleted on my ipa server. As a
result my sssd service is dead because the keytab file is missing
I understand the process to fix this is:
1. kinit admin and provide the password
2. ipa-getkeytab -s <FreeIPA server> -p host/<hostname>@REALM -k <keytab
file>.
if command #2 is successful you should get a keytab file and you can run systemctl restart
sssd and all will be happy again.
My problem is that when running command #2 I get an error if I specify -p host/ for the
service prinicpal.
SASL bind failed
invalid credentials
failed to bind to server
Retrying with pre-4.0 keytab retrieval method...
If I specify -p ldap/ I can get it to complete and a keytab gets generated.
As a side note I have a bunch of ipa-healthcheck erors but maybe those are mostly related
to the fact that sssd is not running and keytab is missing.
The affected server is my primary but I do have a replica that is in good heatlh except
for one healthcheck issue for dns.
Both servers contain the following roles:
AD trust agent
AD trust controller
CA server
DNS server
The IPA server also has a one way trust established with AD.
What is the correct principal to specify? Is it host or ldap or dns or something else?