Author Topic: [SOLVED] Host principal not found in Kerberos database.  (Read 8840 times)

Emel

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +1/-0
    • View Profile
[SOLVED] Host principal not found in Kerberos database.
« on: March 22, 2016, 10:19:32 am »
Hello Zentyal Experts,

I have a Zentyal 4.2 box installed. I was having trouble adding a vdomain and creating mail accounts for my users. Tracking down the problem, it looks like Zentyal could not connect to AD Schema Master because of an underlying Kerberos error.

/var/log/syslog:


Mar 22 10:13:47 acme-sbs [sssd[ldap_child[3137]]]: Failed to initialize credentials using keytab [/var/lib/samba/private/secrets.keytab]: Client 'host/acme-sbs.acme.com.tr@ACME.COM.TR' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Mar 22 10:13:47 acme-sbs [sssd[ldap_child[3137]]]: Client 'host/acme-sbs.acme.com.tr@ACME.COM.TR' not found in Kerberos database


/etc/sssd/sssd.conf:
[sssd]
    services = nss, pam
    config_file_version = 2
    domains = acme.com.tr

[nss]
    entry_negative_timeout = 0
    debug_level = 5

[pam]
    debug_level = 5

[domain/acme.com.tr]
    debug_level = 5
    enumerate = false

    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad


    dyndns_update = false

    ad_hostname = acme-sbs.acme.com.tr
    ad_server = acme-sbs.acme.com.tr
    ad_domain = acme.com.tr

    ldap_schema = ad
    ldap_id_mapping = false

    fallback_homedir = /home/%u
    default_shell = /bin/bash

    ldap_sasl_mech = gssapi
    ldap_sasl_authid = host/acme-sbs.acme.com.tr
    krb5_keytab = /var/lib/samba/private/secrets.keytab
    ldap_krb5_init_creds = true

Dumping the ldap enries, I see the following host principal:

# ACME-SBS, Domain Controllers, acme.com.tr
dn: CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,DC=tr
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: ACME-SBS
instanceType: 4
whenCreated: 20160229092454.0Z
uSNCreated: 3583
name: ACME-SBS
objectGUID:: 3kh1EyJJmEee3MFfukT6Qw==
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
localPolicyFlags: 0
primaryGroupID: 516
objectSid:: AQUAAAAAAAUVAAAAZiaCnBRK1/DSoN5P6AMAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ACME-SBS$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.3.4-Zentyal
dNSHostName: acme-sbs.acme.com.tr
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=acme,DC=com,DC=tr
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,
 DC=tr
serverReferenceBL: CN=ACME-SBS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
 CN=Configuration,DC=acme,DC=com,DC=tr
servicePrincipalName: HOST/acme-sbs.acme.com.tr
servicePrincipalName: HOST/acme-sbs.acme.com.tr/ACME
servicePrincipalName: ldap/acme-sbs.acme.com.tr/ACME
servicePrincipalName: GC/acme-sbs.acme.com.tr/acme.com.tr
servicePrincipalName: ldap/acme-sbs.acme.com.tr
servicePrincipalName: HOST/acme-sbs.acme.com.tr/acme.com.tr
servicePrincipalName: ldap/acme-sbs.acme.com.tr/acme.com.tr
servicePrincipalName: HOST/ACME-SBS
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/e948fc77-1db9-46f1-
 b36e-de588e7a8c96/acme.com.tr
servicePrincipalName: ldap/e948fc77-1db9-46f1-b36e-de588e7a8c96._msdcs.acme.co
 m.tr
servicePrincipalName: ldap/ACME-SBS
servicePrincipalName: RestrictedKrbHost/ACME-SBS
servicePrincipalName: RestrictedKrbHost/acme-sbs.acme.com.tr
servicePrincipalName: ldap/acme-sbs.acme.com.tr/DomainDnsZones.acme.com.tr
servicePrincipalName: ldap/acme-sbs.acme.com.tr/ForestDnsZones.acme.com.tr
servicePrincipalName: SMTP/mail.acme.com.tr
lastLogonTimestamp: 131019922218908640
msDS-SupportedEncryptionTypes: 28
whenChanged: 20160310131001.0Z
pwdLastSet: 131020890010000000
uSNChanged: 4063
lastLogon: 131021716497415830
distinguishedName: CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,DC=tr


Any idea how to fix this issue?

Thanks in advance,
Emel

« Last Edit: March 24, 2016, 11:19:13 am by Emel »

Emel

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +1/-0
    • View Profile
Re: Host principal not found in Kerberos database.
« Reply #1 on: March 24, 2016, 11:17:35 am »
I believe I have found a solution. I am reporting back here to resolve the issue.

Here is what I have done:

- A few quick google search results implied that it is possible that a service principal is not issued TGT at least by Microsoft AD. Only user principals are able to get a TGT.
- Following this lead, I have found out that HOST principal was did not have userPrincipalName attribute in LDAP/
- I have inserted a userPrincipalName attribute using ldbedit on by Zentyal box:

   > ldbedit -e vim -H /var/lib/samba/private/sam.ldb

  added
   userPrincipalName: HOST/acme-sbs.acme.com.tr/acme.com.tr@ACME.COM.TR

 > rebooted the box.


Then the issue disappeared.