On 1/27/11 12:58 PM, Simo Sorce wrote:
On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
So it looks like the replication password issue was a red herring as
far as the kerberos is concerned. I issued the command
"ipa-replica-manage synch ipaserver1.domain.com" from the working ldap
replica and no longer get password expiration errors in the error
logs. However, I still can not get the krb5kdc process on ipaserver1
to start when it uses the local (ldap://127.0.0.1/) LDAP database. If
I perform an LDAP search of the kdc account using the Directory
Manager account, both kdc entries are identical, so it does not seem
to be the password for the KDC account that is preventing the krb5kdc
service from starting. Could it be the service or host principals?
Should I init from ipaserver2 -> ipaserver1 (Note: ipaserver1 is the
I am surprised you get back INVALID CREDENTIALS as an error when the KDC
tries to log in using the data in ldappwd, given it works against the
other server ...
If you search with directory manager the accounts on both servers, do
you get back an identical userPassword field ?
Yes, when I check the passwords are also identical.
Freeipa-users mailing list