Thanks for the suggestion.

yes I tried the -r option but could not get it to work. Permission denied even 
as admin.
In the design paper it looks like this is not yet implemented for user 
I ended up retrieving the required keytab entry and put it in a configuration 
channel in satellite. That makes it easy to distribute.

I haven’t located he replication problem yet, but did a "ipa-replica-manage 
re-initialize". That got the kvno to same level. Havent had the courage to 
retrieve the keytab to test the replication yet. Will do that in a different 
environment shortly.

Bjarne Blichfeldt.

-----Original Message-----
From: Lukas Slebodnik [] 
Sent: 22. november 2016 10:25
To: Bjarne Blichfeldt <>
Subject: Re: [Freeipa-users] keytab kvno differs between ipa servers

On (21/11/16 13:54), Bjarne Blichfeldt wrote:
>ok Thanks
>I will try to debug that.  No errors in the logs, the ldapsearch from your 
>link works fine..
>ok work ahead...
>Bjarne Blichfeldt
man 1 ipa-getkeytab says:
       WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
       cipal.  This renders all other keytabs for that principal invalid.

and also there is an option:
       -r     Retrieve  mode. Retrieve an existing key from the server instead
              of generating a new one. This is incompatibile with the  --pass‐
              word  option,  and  will work only against a FreeIPA server more
              recent than version 3.3. The user  requesting  the  keytab  must
              have access to the keys for this operation to succeed.



Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to