Hello Zentyal Experts,
I have a Zentyal 4.2 box installed. I was having trouble adding a vdomain and creating mail accounts for my users. Tracking down the problem, it looks like Zentyal could not connect to AD Schema Master because of an underlying Kerberos error.
/var/log/syslog:
Mar 22 10:13:47 acme-sbs [sssd[ldap_child[3137]]]: Failed to initialize credentials using keytab [/var/lib/samba/private/secrets.keytab]: Client 'host/acme-sbs.acme.com.tr@ACME.COM.TR' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Mar 22 10:13:47 acme-sbs [sssd[ldap_child[3137]]]: Client 'host/acme-sbs.acme.com.tr@ACME.COM.TR' not found in Kerberos database
/etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = acme.com.tr
[nss]
entry_negative_timeout = 0
debug_level = 5
[pam]
debug_level = 5
[domain/acme.com.tr]
debug_level = 5
enumerate = false
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = false
ad_hostname = acme-sbs.acme.com.tr
ad_server = acme-sbs.acme.com.tr
ad_domain = acme.com.tr
ldap_schema = ad
ldap_id_mapping = false
fallback_homedir = /home/%u
default_shell = /bin/bash
ldap_sasl_mech = gssapi
ldap_sasl_authid = host/acme-sbs.acme.com.tr
krb5_keytab = /var/lib/samba/private/secrets.keytab
ldap_krb5_init_creds = true
Dumping the ldap enries, I see the following host principal:
# ACME-SBS, Domain Controllers, acme.com.tr
dn: CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,DC=tr
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: ACME-SBS
instanceType: 4
whenCreated: 20160229092454.0Z
uSNCreated: 3583
name: ACME-SBS
objectGUID:: 3kh1EyJJmEee3MFfukT6Qw==
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
localPolicyFlags: 0
primaryGroupID: 516
objectSid:: AQUAAAAAAAUVAAAAZiaCnBRK1/DSoN5P6AMAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ACME-SBS$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.3.4-Zentyal
dNSHostName: acme-sbs.acme.com.tr
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=acme,DC=com,DC=tr
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,
DC=tr
serverReferenceBL: CN=ACME-SBS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=acme,DC=com,DC=tr
servicePrincipalName: HOST/acme-sbs.acme.com.tr
servicePrincipalName: HOST/acme-sbs.acme.com.tr/ACME
servicePrincipalName: ldap/acme-sbs.acme.com.tr/ACME
servicePrincipalName: GC/acme-sbs.acme.com.tr/acme.com.tr
servicePrincipalName: ldap/acme-sbs.acme.com.tr
servicePrincipalName: HOST/acme-sbs.acme.com.tr/acme.com.tr
servicePrincipalName: ldap/acme-sbs.acme.com.tr/acme.com.tr
servicePrincipalName: HOST/ACME-SBS
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/e948fc77-1db9-46f1-
b36e-de588e7a8c96/acme.com.tr
servicePrincipalName: ldap/e948fc77-1db9-46f1-b36e-de588e7a8c96._msdcs.acme.co
m.tr
servicePrincipalName: ldap/ACME-SBS
servicePrincipalName: RestrictedKrbHost/ACME-SBS
servicePrincipalName: RestrictedKrbHost/acme-sbs.acme.com.tr
servicePrincipalName: ldap/acme-sbs.acme.com.tr/DomainDnsZones.acme.com.tr
servicePrincipalName: ldap/acme-sbs.acme.com.tr/ForestDnsZones.acme.com.tr
servicePrincipalName: SMTP/mail.acme.com.tr
lastLogonTimestamp: 131019922218908640
msDS-SupportedEncryptionTypes: 28
whenChanged: 20160310131001.0Z
pwdLastSet: 131020890010000000
uSNChanged: 4063
lastLogon: 131021716497415830
distinguishedName: CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,DC=tr
Any idea how to fix this issue?
Thanks in advance,
Emel