On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote: > So it looks like the replication password issue was a red herring as > far as the kerberos is concerned. I issued the command > "ipa-replica-manage synch ipaserver1.domain.com" from the working ldap > replica and no longer get password expiration errors in the error > logs. However, I still can not get the krb5kdc process on ipaserver1 > to start when it uses the local (ldap://127.0.0.1/) LDAP database. If > I perform an LDAP search of the kdc account using the Directory > Manager account, both kdc entries are identical, so it does not seem > to be the password for the KDC account that is preventing the krb5kdc > service from starting. Could it be the service or host principals? > Should I init from ipaserver2 -> ipaserver1 (Note: ipaserver1 is the > winsync server)? > > ipaserver1: > FC 11 > ipa-server-1.2.2-2.fc11.i586 > > ipaserver2: > FC10 > ipa-server-1.2.2-1.fc10.i386
I am surprised you get back INVALID CREDENTIALS as an error when the KDC tries to log in using the data in ldappwd, given it works against the other server ... If you search with directory manager the accounts on both servers, do you get back an identical userPassword field ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users