On 1/28/11 8:28 AM, Simo Sorce wrote:
On Thu, 27 Jan 2011 19:20:02 -0500
James Roman<james.ro...@ssaihq.com>  wrote:

On 1/27/11 12:58 PM, Simo Sorce wrote:
On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
So it looks like the replication password issue was a red herring
as far as the kerberos is concerned. I issued the command
"ipa-replica-manage synch ipaserver1.domain.com" from the working
ldap replica and no longer get password expiration errors in the
error logs. However, I still can not get the krb5kdc process on
ipaserver1 to start when it uses the local (ldap://
LDAP database. If I perform an LDAP search of the kdc account
using the Directory Manager account, both kdc entries are
identical, so it does not seem to be the password for the KDC
account that is preventing the krb5kdc service from starting.
Could it be the service or host principals? Should I init from
ipaserver2 ->   ipaserver1 (Note: ipaserver1 is the winsync server)?

FC 11

I am surprised you get back INVALID CREDENTIALS as an error when
the KDC tries to log in using the data in ldappwd, given it works
against the other server ...

If you search with directory manager the accounts on both servers,
do you get back an identical userPassword field ?


Yes, when I check the passwords are also identical.
Have you ever played with DS password policies by chance ?

Can you search explicitly for the paswwordExpirationTime on both
uid=kdc accounts and see if it set by chance ?
You need to search explicitly for the attribute as it is not returned
by default.


OK. Now I feel like an idiot. I swear that was the first thing I checked. It seems the password policy on this server was set at the base, instead of cn=users. We have a script that reports on expiring accounts in the cn=accounts branch, but not under cn=etc. I now know what to fix. Thanks.

Freeipa-users mailing list

Reply via email to