On 1/27/11 12:58 PM, Simo Sorce wrote:
On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
So it looks like the replication password issue was a red herring as
far as the kerberos is concerned. I issued the command
"ipa-replica-manage synch ipaserver1.domain.com" from the working ldap
replica and no longer get password expiration errors in the error
logs. However, I still can not get the krb5kdc process on ipaserver1
to start when it uses the local (ldap://127.0.0.1/) LDAP database. If
I perform an LDAP search of the kdc account  using the Directory
Manager account, both kdc entries are identical, so it does not seem
to be the password for the KDC account that is preventing the krb5kdc
service from starting. Could it be the service or host principals?
Should I init from ipaserver2 ->  ipaserver1 (Note: ipaserver1 is the
winsync server)?

ipaserver1:
FC 11
ipa-server-1.2.2-2.fc11.i586

ipaserver2:
FC10
ipa-server-1.2.2-1.fc10.i386
I am surprised you get back INVALID CREDENTIALS as an error when the KDC
tries to log in using the data in ldappwd, given it works against the
other server ...

If you search with directory manager the accounts on both servers, do
you get back an identical userPassword field ?

Simo.

Yes, when I check the passwords are also identical.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to