ok Thanks I will try to debug that. No errors in the logs, the ldapsearch from your link works fine.. ok work ahead...
Regards Bjarne Blichfeldt -----Original Message----- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek Sent: 21. november 2016 13:43 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] keytab kvno differs between ipa servers On 21.11.2016 13:29, Bjarne Blichfeldt wrote: > IPA: VERSION: 4.4.0, API_VERSION: 2.213 > > This may be for lack of understanding the process, but.. > > When I retrieve a keytab for a principal using ipa-getkeytab, the kvno is > increased on the idm. > In our test environment we have two ipa servers running and the kvno is only > increased on one of them. After several retrivals, one principals kvno is now > on 5 on ipa1 and 18 on ipa2. > > That means the resulting keytab is only usable on one ipa server and results > in a "password expired" message from the other ipa server. > > How do I synchronize the two Kerberos servers and how do I avoid this? This might be caused by broken replication between your IPA servers: http://www.freeipa.org/page/Troubleshooting#Replication_issues -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
