Jan Wagner via FreeIPA-users wrote: > The keytab is also valid, i just checked: > > [root@replica1 ~]# kvno -k /etc/dirsrv/ds.keytab > ldap/[email protected] > ldap/[email protected]: kvno = 2, keytab entry valid > > However the dirsrv user does not seem to have credentials cache, but that the > case on others replicas too (on the ones, that do not have any issues): > [root@replica1 ~]# sudo -u dirsrv kvno -k /etc/dirsrv/ds.keytab > ldap/[email protected] > kvno: Credentials cache 'KCM:389' not found while getting client principal > name > > But I suppose, that the directory process just looks up the keys in LDAP > anyway. However, if that is the case, why does it have issues retrieving it? >
That just circles back to the original problem: DS can't get credentials. I'd suggest restarting the process and looking in /var/log/krb5kdc.log for the TGT request. Along with monitoring the 389-ds error log. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
