Thanks, that worked. The initial server has 2 usercertificate attributes, while the other two replicas only have one. Also the initial server doesn't have a krbcanonicalname.
----------------- 1 service matched ----------------- dn: krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=atmos,dc=ucla,dc=edu krbprincipalname: ldap/[email protected] usercertificate: MII ... xU= usercertificate: MII ... w== subject: CN=ipaserver.atmos.ucla.edu,O=ATMOS.UCLA.EDU serial_number: 8 serial_number_hex: 0x8 issuer: CN=Certificate Authority,O=ATMOS.UCLA.EDU valid_not_before: Fri Jun 27 17:38:28 2014 UTC valid_not_after: Mon Jun 27 17:38:28 2016 UTC sha1_fingerprint: ... sha256_fingerprint: ... has_keytab: TRUE managedby: fqdn=ipaserver.atmos.ucla.edu,cn=computers,cn=accounts,dc=atmos,dc=ucla,dc=edu ipaKrbPrincipalAlias: ldap/[email protected] ipaUniqueID: UUID krbExtraData: ...= krbLastPwdChange: 20140627174009Z krbLastSuccessfulAuth: 20201115230924Z krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,dc=atmos,dc=ucla,dc=edu memberof: cn=replication managers,cn=sysaccounts,cn=etc,dc=atmos,dc=ucla,dc=edu objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: ipakrbprincipal objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux ---------------------------- Number of entries returned 1 ---------------------------- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
