On 05/29/2015 07:48 AM, Christoph Kaminski wrote:
I have had a defect entries in ldap for a replica and deleted them. But now the
dirsrv keytab (/etc/dirsrv/ds.keytab) doesnt work anymore (revoked). The
replica starts but it cant connect other replicas (but other replicas can
connect to it).
I have tried:
kinit -k -t /etc/dirsrv/ds.keytab ldap/ipa-1.mgmt.testsystem-homemonitoring.int
kinit: Clients credentials have been revoked while getting initial credentials
It is possible to 'regenerate' this keytab? If yes how? Simple ipa-getkeytab
(on this replica) doesnt work.
Running ipa-getkeytab on this replica is tricky - as if replication is down and
you do this, the old key is revoked and new one is generated - which is not
known for the other master as replication is not working and you get in a
You can try to log to your active master, do ipa-getkeytab for the broken
replica, copy the keytab there, restart DS and then run re-initialize to reload
all the data from active master. It may work.
Or it is better to destroy it and do a new install?
That may be even faster for the making that particular replica up and running
again, if you do not want to dig too much in this issue.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project