Thanks for the suggestion. yes I tried the -r option but could not get it to work. Permission denied even as admin. In the design paper it looks like this is not yet implemented for user principals. I ended up retrieving the required keytab entry and put it in a configuration channel in satellite. That makes it easy to distribute.
I haven’t located he replication problem yet, but did a "ipa-replica-manage re-initialize". That got the kvno to same level. Havent had the courage to retrieve the keytab to test the replication yet. Will do that in a different environment shortly. Regards Bjarne Blichfeldt. -----Original Message----- From: Lukas Slebodnik [mailto:lsleb...@redhat.com] Sent: 22. november 2016 10:25 To: Bjarne Blichfeldt <b...@jndata.dk> Cc: email@example.com Subject: Re: [Freeipa-users] keytab kvno differs between ipa servers On (21/11/16 13:54), Bjarne Blichfeldt wrote: >ok Thanks > >I will try to debug that. No errors in the logs, the ldapsearch from your >link works fine.. >ok work ahead... > >Regards > >Bjarne Blichfeldt > man 1 ipa-getkeytab says: WARNING: retrieving the keytab resets the secret for the Kerberos prin‐ cipal. This renders all other keytabs for that principal invalid. and also there is an option: -r Retrieve mode. Retrieve an existing key from the server instead of generating a new one. This is incompatibile with the --pass‐ word option, and will work only against a FreeIPA server more recent than version 3.3. The user requesting the keytab must have access to the keys for this operation to succeed. HTH LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project