Well, I could try that but it's not very handy - you need to go to AD and perform passwd change manually. I was hoping that "net -U administrator ads keytab create" or similar would do everything necessary in a single run - just like "net ads join".
Ondrej -----Original Message----- From: James Ralston [mailto:rals...@pobox.com] Sent: Monday, July 09, 2018 5:34 PM To: End-user discussions about the System Security Services Daemon <sssd-users@lists.fedorahosted.org> Subject: [SSSD-users] Re: recreate machine keytab file On Mon, Jul 9, 2018 at 8:19 AM Ondrej Valousek <ondrej.valou...@s3group.com> wrote: > Is there any way how can we recreate system keytab file of a machine > joined to AD if the file has been broken/deleted? > > I want to avoid doing join again as this would probably delete the > existing account (with all attributes we have set). The latest version of the msktutil utility (version 1.1) can do this: https://github.com/msktutil/msktutil/ Remove the corrupted /etc/krb5.keytab file, change the password of the host machine account in AD to a temporary password, and then run: $ msktutil --update --computer-name SHORTHOSTNAMEALLCAPS --old-account-password <temporary_password> --verbose --verbose This should change the host machine account password in AD to a new (random) password, and then create a new /etc/krb5.keytab file with all relevant entries. Depending on your AD configuration, you might need to use the --dont-update-dnshostname option as well. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/YHPZ4WH6CNL3KMULOVKZ5VKMHMRYNWDW/ ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/7KW3F6N6T3E7ARJLI7YMKBLXCEY4H6BN/
