Jeremy Tourville via FreeIPA-users wrote:
I don't know how but somehow /etc/krb5.keytab was deleted on my
ipa server. As a result my sssd service is dead because the keytab file is missing
I understand the process to fix this is:
1. kinit admin and provide the password
2. ipa-getkeytab -s <FreeIPA server> -p host/<hostname>@REALM -k <keytab
file>.
if command #2 is successful you should get a keytab file and you can run systemctl
restart sssd and all will be happy again.
My problem is that when running command #2 I get an error if I specify -p host/ for the
service prinicpal.
SASL bind failed
invalid credentials
failed to bind to server
Retrying with pre-4.0 keytab retrieval method...
If I specify -p ldap/ I can get it to complete and a keytab gets generated.
As a side note I have a bunch of ipa-healthcheck erors but maybe those are mostly related
to the fact that sssd is not running and keytab is missing.
The affected server is my primary but I do have a replica that is in good heatlh except
for one healthcheck issue for dns.
Both servers contain the following roles:
AD trust agent
AD trust controller
CA server
DNS server
The IPA server also has a one way trust established with AD.
What is the correct principal to specify? Is it host or ldap or dns or something else?
host is the correct principal. Have you tried specifying the other
server with -s in ipa-getkeytab?
Does the IPA server host entry still exist?
rob