On 05/29/2015 07:48 AM, Christoph Kaminski wrote:

I have had a defect entries in ldap for a replica and deleted them. But now the
dirsrv keytab (/etc/dirsrv/ds.keytab) doesnt work anymore (revoked). The
replica starts but it cant connect other replicas (but other replicas can
connect to it).

I have tried:
kinit -k -t /etc/dirsrv/ds.keytab ldap/ipa-1.mgmt.testsystem-homemonitoring.int

and got:
kinit: Clients credentials have been revoked while getting initial credentials

It is possible to 'regenerate' this keytab? If yes how? Simple ipa-getkeytab
(on this replica) doesnt work.

Running ipa-getkeytab on this replica is tricky - as if replication is down and you do this, the old key is revoked and new one is generated - which is not known for the other master as replication is not working and you get in a strange situation.

You can try to log to your active master, do ipa-getkeytab for the broken replica, copy the keytab there, restart DS and then run re-initialize to reload all the data from active master. It may work.

Or it is better to destroy it and do a new install?

That may be even faster for the making that particular replica up and running again, if you do not want to dig too much in this issue.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to