On 05/29/2015 07:48 AM, Christoph Kaminski wrote:
Hi
I have had a defect entries in ldap for a replica and deleted them. But now the
dirsrv keytab (/etc/dirsrv/ds.keytab) doesnt work anymore (revoked). The
replica starts but it cant connect other replicas (but other replicas can
connect to it).
I have tried:
kinit -k -t /etc/dirsrv/ds.keytab ldap/ipa-1.mgmt.testsystem-homemonitoring.int
and got:
kinit: Clients credentials have been revoked while getting initial credentials
It is possible to 'regenerate' this keytab? If yes how? Simple ipa-getkeytab
(on this replica) doesnt work.
Running ipa-getkeytab on this replica is tricky - as if replication is down and
you do this, the old key is revoked and new one is generated - which is not
known for the other master as replication is not working and you get in a
strange situation.
You can try to log to your active master, do ipa-getkeytab for the broken
replica, copy the keytab there, restart DS and then run re-initialize to reload
all the data from active master. It may work.
Or it is better to destroy it and do a new install?
That may be even faster for the making that particular replica up and running
again, if you do not want to dig too much in this issue.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
