Problem:

The krb5.keytab was removed or overwritten by mistake.
These file essentially corresponds to a hashed version of /etc/machine.secret.

Solution:

Good news, it can be rewritten.
NOTE Make sure to backup your old keytab, before using this script!

/usr/share/univention-samba4/scripts/create-keytab.sh

is creating a new krb5.keytab if your server is a samba4 DC, otherwise this script is missing.

The keytab normally contains two keyversionnumbers. The newly created one only contains one keyversionnumber, so some clients needs to be restartet, to use the new one.

Addition (heimdal):

If your primary is NOT a samba4 DC heimdal is your kerberos KDC and the keytab is generated differently. In this case a listener module generates the keytab. You can use:

univention-directory-listener-ctrl resync keytab

to generate a new /etc/krb5.keytab