This is the mappings from the Master...it looks very different from the replica
# ldapsearch -x -D 'cn=Directory Manager' -W -b cn=mapping,cn=sasl,cn=config Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=mapping,cn=sasl,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # mapping, sasl, config dn: cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsContainer cn: mapping # Full Principal, mapping, sasl, config dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping nsSaslMapRegexString: \(.*\)@\(.*\) cn: Full Principal nsSaslMapBaseDNTemplate: dc=itmodev,dc=gov nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) # Name Only, mapping, sasl, config dn: cn=Name Only,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping nsSaslMapRegexString: ^[^:@]+$ cn: Name Only nsSaslMapBaseDNTemplate: dc=itmodev,dc=gov nsSaslMapFilterTemplate: (krbPrincipalName=&@ITMODEV.GOV) # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, November 10, 2015 1:26 PM To: Gronde, Christopher (Contractor) <christopher.gro...@fincen.gov>; Rich Megginson <rmegg...@redhat.com>; freeipa-users@redhat.com Subject: Re: [Freeipa-users] krb5kdc will not start (kerberos authentication error) Gronde, Christopher (Contractor) wrote: > Is it possible to delete the mapping and try it and if it doesn't work or > breaks something else add it back? How would I go about deleting this > mapping? Or adding the mapping for principal name in the right order? > So what I'd do is this: Do the same cn=mappping ldapsearch on the working master to see what the differences are. Determine if this is an ordering problem or if there is just extra gunk on this non-working master. And compare the versions of 389-ds: rpm -q 389-ds-base. They should be the same. If not then maybe one supports the new ordering and one doesn't. Then: 1. Stop dirsrv 2. cp dse.ldif dse.ldif.mappings 3. edit dse.ldif to match your findings. Either re-order the entries or remove ones you don't need (or both). 4. Start dirsrv 5. Start krb5kdc Step 1 is super important because 389-ds writes dse.ldif on shutdown so all changes made while the service is running will be lost. You can also do this via ldapmodify but it is far easier and less error prone to use your favorite editor in this case. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project