On Wed, 2018-04-11 at 10:47 -0400, Dave Jablonski via FreeIPA-users wrote: > One of the FreeIPA replicas are not able to use the GSSAPI authentication > to connect to ldap server on itself or any other FreeIPA server. I'm not > sure why. I added example.com to just replace the actual domains, we're > not using that. I really don't fully understand how the krbprincipalname > is used but as a thought I think maybe we have 2 ldap/ krbbprincipal names > for this host/service and it's using the wrong one for the mapping.
Have you tried to install two servers with the same name at the same time by chance ? I do not see how else you'd get a duplicate entry in ldap woth the keytab. Either that or you reinstalled a server while the topology had replication issues that got resolved after the second reinstall. Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org