Domain Login fails once initially joined machine account is removed

[robinrosenberger]

When an image is joined to the domain, the initially joined hostname is hardcoded in /etc/krb5.keytab and sssd will not start once that machine account is removed, stating:

test-client [sssd[ldap_child[8614]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Client 'CLIENT1$@LINUXMUSTER.LAN' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection.

The keytab contains:

root@test-client:~# klist -k | sort | uniq
   8 CLIENT1$@LINUXMUSTER.LAN
   8 host/CLIENT1@LINUXMUSTER.LAN
   8 host/client1.linuxmuster.lan@LINUXMUSTER.LAN
   8 restrictedkrbhost/CLIENT1@LINUXMUSTER.LAN
   8 restrictedkrbhost/client1.linuxmuster.lan@LINUXMUSTER.LAN
   8 termsrv/CLIENT1@LINUXMUSTER.LAN
   8 termsrv/client1.linuxmuster.lan@LINUXMUSTER.LAN
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal

client1 was the original clients name, which is gone by now and purged from the workstation list. After creating a new workstation called client1, sssd says:

test-client [sssd[ldap_child[2259]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: KDC has no support for encryption type. Unable to create GSSAPI-encrypted LDAP connection.

renaming an existing client to client1 leads to:

client1 [sssd[krb5_child[4397]: Cannot find key for host/client1.linuxmuster.lan@LINUXMUSTER.LAN kvno 2 in keytab

on that client. linuxmuster-cloop-turnkey does not resolve any of these issues but leads to

client1.linuxmuster.lan [sssd[ldap_child[2630]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.

no matter what happened before.

Any thoughts on this? For the time beeing, it should be stated somewhere that one must not rename the initial workstation.

[robinrosenberger]

sorry, just recognized commit c22b0f977c29407e77897bd9d5d5e868c50f56ee addressing this