I think I was not clear in my original post. Let me clarify.
I have a master KDC running Heimdal 7.1. In its database is a principal
called "fprefect" which, as far as I can tell, acts like a normal
principal. I can do "get fprefect" and the output looks normal. If I
point to this master and do a "kinit fprefect" I get a TGT.
However, if I bring up a new slave KDC (no database, no transaction log)
that points to this master, the KDC _appears_ to get the entire database
from the master, except that the principal "fprefect" is missing. This
happens if the slave KDC runs 7.1 or if it runs 1.5.2. (There are some
strange messages in the iprop log on the 1.5.2 slave; see my original
e-mail for details.)
I don't know how this principal got into this strange state on the
master, and I don't know how to replicate this issue.
It makes me think that the database on the master is corrupted in some
subtle way.
I am hoping that someone can tell me some way to query or examine the
database on the master to get some information that might throw some
light on why this particular principal behaves this way.
Adam Lewenberg
On 6/15/2018 3:29 PM, Adam Lewenberg wrote:
On 6/15/2018 3:04 PM, Viktor Dukhovni wrote:
On Jun 15, 2018, at 5:31 PM, Adam Lewenberg <ada...@stanford.edu> wrote:
PROBLEM: Some of the principals will not replicate.
Well updates to the principal are not replicating...
If I go on the master and change the password of one of these
problematic principals, I
see this in the replica's logs:
That's a "modify" not a "create" and modify requires the object
to already be there. The iprop log is "sparse", recording only
the modified data when doing "modify", so the principal can't
be created just from the latest "modify" record.
QUESTION: What could be a reason for this principal not to replicate?
You need to stop the slaves, blow away their database and logs,
and replicate the full database from scratch.
I did this. On three different slaves. The problematic principals do not
appear in the slave's database. To be clear: even after initial
replication (starting from nothing on the slave) some of the principal's
do not appear in the slave's database.
This (or something much like it) appears in the initial replication on
three separate 1.5.2 slaves:
2018-06-15T17:45:12 ipropd-slave started at version: 0
2018-06-15T17:45:12 receive complete database
2018-06-15T17:45:47 receive complete database, version 114134
2018-06-15T17:46:44 replaying entry 114135
2018-06-15T17:46:44 replaying entry 114136
2018-06-15T17:46:44 replaying entry 114137
2018-06-15T17:46:44 replaying entry 114138
... many lines like this until ...
2018-06-15T17:46:45 replaying entry 131686
2018-06-15T17:46:45 replaying entry 131687
2018-06-15T17:46:45 replaying entry 131688
2018-06-15T17:46:45 replaying entry 131689
2018-06-15T17:46:45 Ignoring command 8
2018-06-15T17:50:03 replaying entry 131690
2018-06-15T17:50:03 Ignoring command 8
2018-06-15T17:50:03 replaying entry 131691
2018-06-15T17:50:03 Ignoring command 8
2018-06-15T17:50:03 replaying entry 131692
2018-06-15T17:50:03 Ignoring command 8
2018-06-15T17:51:03 replaying entry 131693
2018-06-15T17:51:03 Ignoring command 8
2018-06-15T17:56:52 replaying entry 131694
2018-06-15T17:56:52 Ignoring command 8
2018-06-15T18:00:03 replaying entry 131695
2018-06-15T18:00:03 Ignoring command 8
... more lines much like until ...
2018-06-15T20:16:57 Ignoring command 8
2018-06-15T20:18:53 replaying entry 131814
2018-06-15T20:18:53 kadm5_log_replay: 131814. Lost entry entry, Database
out of sync ?: No such entry in the database (36150275)
2018-06-15T20:18:53 Ignoring command 8
2018-06-15T20:19:23 Ignoring command 8
2018-06-15T20:20:02 replaying entry 131815
