Environment
Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSFW
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSFW
Situation
The krbtgt object was accidentally deleted. How do I re-create the krbtgt object?
Resolution
Open the /var/opt/novell/xad/ds/domain/domain.ldif
Copy the krbtgt object from the ldif
Create a new ldif pasting the krbtgt from the domain.ldif into the new ldif.
Example of what should be copied from the domain.ldif:
dn: CN=krbtgt,CN=Users,o=novell
cn: krbtgt
codePage: 0
countryCode: 0
description: Kerberos Ticket Granting Service account
isCriticalSystemObject: TRUE
objectClass: User
objectClass: posixAccount
objectClass: uamPosixUser
objectSid:: AQUAAAAAAAUVAAAAKeR7wrYQAAzZqeER9gEAAA==
primaryGroupId: 513
samAccountName: krbtgt
samAccountType: 805306368
servicePrincipalName: kadmin/changepw
servicePrincipalName: kadmin/admin
userAccountControl: 66050
gidNumber: 1049089
uidNumber: 1049078
unixHomeDirectory: /home/krbtgt
uniqueID: krbtgt
Then import the ldif.
Use the openldap ldapadd with a SASL or GSSAPI bind.
To use ldapadd doing the following for a ldif called /tmp/krbtgt.ldif:
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
ldapadd -Y EXTERNAL -f /tmp/krbtgt.ldif
Verify the SID for the krbtgt ends with 502 using wbinfo
First restart winbind to clear the cache otherwise it might show the old sid if wbinfo was ran between the creation and modification of the krbtgt object
Example:
rcwinbind restart
wbinfo -n krbtgt
S-1-5-21-3262899241-201330870-300001753-502 User (1)
Now set the password for the user by running the provision_set_cred_foraccounts.pl script
In order to run the provision_set_cred_foraccounts.pl script the domain administrator and tree admin's passwords need to be exported
export ADM_PASSWD = password this is for Administrator
export NDSEXISTINGADMINPASSWD = tree domain password, usually admin
Then run
/opt/novell/xad/share/dcinit/provision/provision_set_cred_foraccounts.pl
Look at the end of the /var/opt/novell/xad/log/provision.log for the results.
Example of what to look for a successfully running the script.
>>>Setting machine account password and configuring Kerberos keytab
Changing password for DSFWSERVER$...
>>>Setting krbtgt password
Changing password for krbtgt...
>>>Setting Administrator password
Changing password for Administrator...
2012-02-28 16:41:05 Post-check to set default password Passed
2012-02-28 16:41:06,544 INFO - Set Default Passwords for Accounts:Set Default Passwords for Accounts returned.
Copy the krbtgt object from the ldif
Create a new ldif pasting the krbtgt from the domain.ldif into the new ldif.
Example of what should be copied from the domain.ldif:
dn: CN=krbtgt,CN=Users,o=novell
cn: krbtgt
codePage: 0
countryCode: 0
description: Kerberos Ticket Granting Service account
isCriticalSystemObject: TRUE
objectClass: User
objectClass: posixAccount
objectClass: uamPosixUser
objectSid:: AQUAAAAAAAUVAAAAKeR7wrYQAAzZqeER9gEAAA==
primaryGroupId: 513
samAccountName: krbtgt
samAccountType: 805306368
servicePrincipalName: kadmin/changepw
servicePrincipalName: kadmin/admin
userAccountControl: 66050
gidNumber: 1049089
uidNumber: 1049078
unixHomeDirectory: /home/krbtgt
uniqueID: krbtgt
Then import the ldif.
Use the openldap ldapadd with a SASL or GSSAPI bind.
To use ldapadd doing the following for a ldif called /tmp/krbtgt.ldif:
export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
ldapadd -Y EXTERNAL -f /tmp/krbtgt.ldif
Verify the SID for the krbtgt ends with 502 using wbinfo
First restart winbind to clear the cache otherwise it might show the old sid if wbinfo was ran between the creation and modification of the krbtgt object
Example:
rcwinbind restart
wbinfo -n krbtgt
S-1-5-21-3262899241-201330870-300001753-502 User (1)
Now set the password for the user by running the provision_set_cred_foraccounts.pl script
In order to run the provision_set_cred_foraccounts.pl script the domain administrator and tree admin's passwords need to be exported
export ADM_PASSWD = password this is for Administrator
export NDSEXISTINGADMINPASSWD = tree domain password, usually admin
Then run
/opt/novell/xad/share/dcinit/provision/provision_set_cred_foraccounts.pl
Look at the end of the /var/opt/novell/xad/log/provision.log for the results.
Example of what to look for a successfully running the script.
>>>Setting machine account password and configuring Kerberos keytab
Changing password for DSFWSERVER$...
>>>Setting krbtgt password
Changing password for krbtgt...
>>>Setting Administrator password
Changing password for Administrator...
2012-02-28 16:41:05 Post-check to set default password Passed
2012-02-28 16:41:06,544 INFO - Set Default Passwords for Accounts:Set Default Passwords for Accounts returned.