Author Topic: [SOLVED] Host principal not found in Kerberos database.  (Read 6681 times)


  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +1/-0
    • View Profile
[SOLVED] Host principal not found in Kerberos database.
« on: March 22, 2016, 10:19:32 am »
Hello Zentyal Experts,

I have a Zentyal 4.2 box installed. I was having trouble adding a vdomain and creating mail accounts for my users. Tracking down the problem, it looks like Zentyal could not connect to AD Schema Master because of an underlying Kerberos error.


Mar 22 10:13:47 acme-sbs [sssd[ldap_child[3137]]]: Failed to initialize credentials using keytab [/var/lib/samba/private/secrets.keytab]: Client 'host/' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.
Mar 22 10:13:47 acme-sbs [sssd[ldap_child[3137]]]: Client 'host/' not found in Kerberos database

    services = nss, pam
    config_file_version = 2
    domains =

    entry_negative_timeout = 0
    debug_level = 5

    debug_level = 5

    debug_level = 5
    enumerate = false

    id_provider = ad
    auth_provider = ad
    chpass_provider = ad
    access_provider = ad

    dyndns_update = false

    ad_hostname =
    ad_server =
    ad_domain =

    ldap_schema = ad
    ldap_id_mapping = false

    fallback_homedir = /home/%u
    default_shell = /bin/bash

    ldap_sasl_mech = gssapi
    ldap_sasl_authid = host/
    krb5_keytab = /var/lib/samba/private/secrets.keytab
    ldap_krb5_init_creds = true

Dumping the ldap enries, I see the following host principal:

# ACME-SBS, Domain Controllers,
dn: CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,DC=tr
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
instanceType: 4
whenCreated: 20160229092454.0Z
uSNCreated: 3583
name: ACME-SBS
objectGUID:: 3kh1EyJJmEee3MFfukT6Qw==
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
localPolicyFlags: 0
primaryGroupID: 516
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ACME-SBS$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.3.4-Zentyal
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=acme,DC=com,DC=tr
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,
serverReferenceBL: CN=ACME-SBS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
servicePrincipalName: HOST/
servicePrincipalName: HOST/
servicePrincipalName: ldap/
servicePrincipalName: GC/
servicePrincipalName: ldap/
servicePrincipalName: HOST/
servicePrincipalName: ldap/
servicePrincipalName: HOST/ACME-SBS
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/e948fc77-1db9-46f1-
servicePrincipalName: ldap/
servicePrincipalName: ldap/ACME-SBS
servicePrincipalName: RestrictedKrbHost/ACME-SBS
servicePrincipalName: RestrictedKrbHost/
servicePrincipalName: ldap/
servicePrincipalName: ldap/
servicePrincipalName: SMTP/
lastLogonTimestamp: 131019922218908640
msDS-SupportedEncryptionTypes: 28
whenChanged: 20160310131001.0Z
pwdLastSet: 131020890010000000
uSNChanged: 4063
lastLogon: 131021716497415830
distinguishedName: CN=ACME-SBS,OU=Domain Controllers,DC=acme,DC=com,DC=tr

Any idea how to fix this issue?

Thanks in advance,

« Last Edit: March 24, 2016, 11:19:13 am by Emel »


  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +1/-0
    • View Profile
Re: Host principal not found in Kerberos database.
« Reply #1 on: March 24, 2016, 11:17:35 am »
I believe I have found a solution. I am reporting back here to resolve the issue.

Here is what I have done:

- A few quick google search results implied that it is possible that a service principal is not issued TGT at least by Microsoft AD. Only user principals are able to get a TGT.
- Following this lead, I have found out that HOST principal was did not have userPrincipalName attribute in LDAP/
- I have inserted a userPrincipalName attribute using ldbedit on by Zentyal box:

   > ldbedit -e vim -H /var/lib/samba/private/sam.ldb

   userPrincipalName: HOST/

 > rebooted the box.

Then the issue disappeared.