On 29.5.2015 10:06, Martin Kosek wrote: > On 05/29/2015 07:48 AM, Christoph Kaminski wrote: >> Hi >> >> I have had a defect entries in ldap for a replica and deleted them. But now >> the >> dirsrv keytab (/etc/dirsrv/ds.keytab) doesnt work anymore (revoked). The >> replica starts but it cant connect other replicas (but other replicas can >> connect to it). >> >> I have tried: >> kinit -k -t /etc/dirsrv/ds.keytab >> ldap/ipa-1.mgmt.testsystem-homemonitoring.int >> >> and got: >> kinit: Clients credentials have been revoked while getting initial >> credentials >> >> It is possible to 'regenerate' this keytab? If yes how? Simple ipa-getkeytab >> (on this replica) doesnt work. > > Running ipa-getkeytab on this replica is tricky - as if replication is down > and you do this, the old key is revoked and new one is generated - which is > not known for the other master as replication is not working and you get in a > strange situation. > > You can try to log to your active master, do ipa-getkeytab for the broken > replica, copy the keytab there, restart DS and then run re-initialize to > reload all the data from active master. It may work. > >> Or it is better to destroy it and do a new install? > > That may be even faster for the making that particular replica up and running > again, if you do not want to dig too much in this issue.
It might happen that keytab is actually valid but the principal just is locked out. In that case following LDIF should fix the problem: dn: krbprincipalname=ldap/ipa-1.mgmt.testsystem-homemonitoring.int@<REALM>,cn=services,cn=accounts,<yoursuffix> changetype: modify delete: krbLoginFailedCount - delete: krbLastFailedAuth - You need to run ldapmodify with Directory manager's credentials. I hope this helps. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project