[Samba] deleted krbtgt user
Andrew Bartlett
abartlet at samba.org
Sun Jul 13 03:58:46 MDT 2014
On Thu, 2014-07-10 at 20:44 +1200, Andrew Bartlett wrote:
> On Thu, 2014-07-10 at 09:38 +0200, L.P.H. van Belle wrote:
> > wel i suggest, restore your backup.. ;-)
> >
> > or add kadmin/changepw to the new krbtgt user.
> >
> > samba-tool spn list krbtgt
> >
> > User CN=krbtgt,CN=Users,...
> >
> > servicePrincipalName:
> > kadmin/changepw
> >
> > I don't know the samba-tool line, so thats for you to find.
> > you can do this also from windows AD tool but you need to set View-Advanced first,
> > after that you will see the krbtgt users in the Users OU.
>
> It needs more than that, it has a special SID (specifically the right
> RID). This isn't going to be easy to fix, but to start prepare a new
> provision with the same parameters, and then make the object match
> exactly. This may require use of --relax or other controls to get past
> our internal checks.
Thinking about this again, the key will be to undelete the krbtgt
object, then make it 'right' again, with a new unicodePwd. Read up on
how to undelete users in Samba AD at the wiki link below. It will still
be tricky however, and if you can't figure it out I may have to write
you a dbcheck test to fix it.
https://wiki.samba.org/index.php/Restoring_deleted_AD_objects
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list