[Samba] deleted krbtgt user

Andrew Bartlett abartlet at samba.org
Sun Jul 13 03:58:46 MDT 2014

On Thu, 2014-07-10 at 20:44 +1200, Andrew Bartlett wrote:
> On Thu, 2014-07-10 at 09:38 +0200, L.P.H. van Belle wrote:
> > wel i suggest, restore your backup.. ;-) 
> > 
> > or add kadmin/changepw to the new krbtgt user.
> > 
> > samba-tool spn list krbtgt 
> > 
> > User CN=krbtgt,CN=Users,...  
> > 
> > servicePrincipalName:
> >          kadmin/changepw
> > 
> > I don't know the samba-tool line, so thats for you to find. 
> > you can do this also from windows AD tool but you need to set View-Advanced first, 
> > after that you will see the krbtgt users in the Users OU. 
> It needs more than that, it has a special SID (specifically the right
> RID).  This isn't going to be easy to fix, but to start prepare a new
> provision with the same parameters, and then make the object match
> exactly.  This may require use of --relax or other controls to get past
> our internal checks. 

Thinking about this again, the key will be to undelete the krbtgt
object, then make it 'right' again, with a new unicodePwd.  Read up on
how to undelete users in Samba AD at the wiki link below.  It will still
be tricky however, and if you can't figure it out I may have to write
you a dbcheck test to fix it.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list