Ben Morrice · 84ff649a
--- a/docs/cheatsheets/kerberos.md

+ 8

− 0
+++ b/docs/cheatsheets/kerberos.md

+ 8

− 0
 @@ -33,3 +33,11 @@ For non puppet/locmap machines, a correct krb5.conf can always be found here [ht
 ## Checking host principles

 From a host that has a working Kerberos installation, you can run ```kvno $SHORTNAME```. If the host exists, you will be presented with the 'key version number' of the record from the directory side. If you are working on a host that has issues, you may want to confirm that the kvno is the same between the version the directory knows about versus what is present on the host. The following command can be used (as root) to query the system keytab to see the current kvno as well as last update time: ```klist -kt /etc/krb5.keytab```
+
+## cern-get-keytab
+
+If you get the error message ```Error checking computer in AD, object not found, not in authorized OU or invalid user trying to join domain```, ensure that the LanDB-OS is set to ```Linux```
+
+This shouldn't be a problem for most cases as VMs with CC7 set this via the glance image metadata, but should be something checked.
+
+It is also worth mentioning that the lxkerbwin service seems to cache the response from LanDB, thus an update to LanDB will take several minutes to see different behaviour via the client (cern-get-keytab)