Bhavin Vaidya via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> We have Kerberos authentication failing on our replica server as well
> as client. We are also not able to add any more client or replica
> server.
>
> Master FreeIPA server ds01:/etc/krb5.keytab, we get multiple entries.
>
> [root@ds01 log]# klist -kt /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp           Principal
> ---- -------------------
> ------------------------------------------------------
>    2 02/02/2015 19:33:04 host/ds01.domain....@domain.com
>    2 02/02/2015 19:33:04 host/ds01.domain....@domain.com
>    2 02/02/2015 19:33:04 host/ds01.domain....@domain.com
>    2 02/02/2015 19:33:04 host/ds01.domain....@domain.com
>    5 06/21/2017 15:44:40 host/ds02.domain....@domain.com
>    5 06/21/2017 15:44:40 host/ds02.domain....@domain.com
>    5 06/21/2017 15:44:40 host/ds02.domain....@domain.com
>    5 06/21/2017 15:44:40 host/ds02.domain....@domain.com
>    5 06/21/2017 15:44:40 host/ds02.domain....@domain.com
>    2 08/07/2017 14:09:27 host/ds01.domain....@domain.com
>    2 08/07/2017 14:09:27 host/ds01.domain....@domain.com
>    2 08/07/2017 14:09:27 host/ds01.domain....@domain.com
>    2 08/07/2017 14:09:27 host/ds01.domain....@domain.com
>
> We had someone else trying to help us and now we have this issue.
>
>   1.  How can we remove newer entries?

Not easily.  krb5 doesn't provide a way to do this, nor should you need
to to so.

>   2.  can we reset the krb5.keytab and if yes what will be the
>   implication on replicas and client?

kvno will change, causing all existing credentials against that service
to mysteriously fail.

The kvno difference, as has been said already, is unlikely to be the
problem; can you perhaps post some failure logs?

Thanks,
--Robbie

Attachment: signature.asc
Description: PGP signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to