Thanks for the suggestion.
yes I tried the -r option but could not get it to work. Permission denied even
In the design paper it looks like this is not yet implemented for user
I ended up retrieving the required keytab entry and put it in a configuration
channel in satellite. That makes it easy to distribute.
I haven’t located he replication problem yet, but did a "ipa-replica-manage
re-initialize". That got the kvno to same level. Havent had the courage to
retrieve the keytab to test the replication yet. Will do that in a different
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: 22. november 2016 10:25
To: Bjarne Blichfeldt <b...@jndata.dk>
Subject: Re: [Freeipa-users] keytab kvno differs between ipa servers
On (21/11/16 13:54), Bjarne Blichfeldt wrote:
>I will try to debug that. No errors in the logs, the ldapsearch from your
>link works fine..
>ok work ahead...
man 1 ipa-getkeytab says:
WARNING: retrieving the keytab resets the secret for the Kerberos prin‐
cipal. This renders all other keytabs for that principal invalid.
and also there is an option:
-r Retrieve mode. Retrieve an existing key from the server instead
of generating a new one. This is incompatibile with the --pass‐
word option, and will work only against a FreeIPA server more
recent than version 3.3. The user requesting the keytab must
have access to the keys for this operation to succeed.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project