We have been building out an AD domain and joining Linux machines to it using centrifydc
Going pretty well for the most part.
One Linux box is disconnecting from the domain, for no obvious reason. (Not obvious to me, at any rate). After enabling centrifydc debugging, I found that the kerberos keytab was missing from this box.
I tried to use "adkeytab" but it failed with error:
# adkeytab -r verbose -K /etc/kb5.keytab
Error: Keytab file does not exists /etc/kb5.keytab
I then decided to start from scratch, and I ran "adleave". I got a weird "tatoo" error:
# adleave --user "${ADJOIN_USERNAME}" --password "${ADJOIN_PASSWORD}" --remove
Using domain controller: qadc01b.qa.example.com writable=true
Failed to clear tatoo in computer object, leave continue. Please advise the administrator of the failure to cleanup tatoo in operatingSystemServicePack attribute of the computer object "CN=batch01b,OU=Linux,OU=Servers,DC=iad1,DC=qa,DC=example,DC=com".
Left domain.
Centrify DirectControl stopped.
"Failed to clear tatoo in computer object, leave continue"
What on earth??? (I've since learned what "registry tattooing" is. As a long time Linux admin, I've never encountered this term)
In any case, the computer appeared to have left the domain. adinfo showed as much
# adinfo
Not joined to any domain
Licensed Features: Disabled
I then re-ran the centrifydc install script and it joined the domain and installed /etc/krb5.keytab, and adinfo shows it is joined and "getent passwd" shows AD users
QUESTIONS
Is this "tatoo" error anything I should be concerned about? How do I fix it?
How can I determine why this box became disconnected from the domain in the first place?
Why did the krb5.keytab disappear? Why didn't "adkeytab" work?
Thanks!