[Freeipa-users] Unable to start the krb5kdc
James Roman
james.roman at ssaihq.com
Fri Jan 28 00:20:02 UTC 2011
On 1/27/11 12:58 PM, Simo Sorce wrote:
> On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
>> So it looks like the replication password issue was a red herring as
>> far as the kerberos is concerned. I issued the command
>> "ipa-replica-manage synch ipaserver1.domain.com" from the working ldap
>> replica and no longer get password expiration errors in the error
>> logs. However, I still can not get the krb5kdc process on ipaserver1
>> to start when it uses the local (ldap://127.0.0.1/) LDAP database. If
>> I perform an LDAP search of the kdc account using the Directory
>> Manager account, both kdc entries are identical, so it does not seem
>> to be the password for the KDC account that is preventing the krb5kdc
>> service from starting. Could it be the service or host principals?
>> Should I init from ipaserver2 -> ipaserver1 (Note: ipaserver1 is the
>> winsync server)?
>>
>> ipaserver1:
>> FC 11
>> ipa-server-1.2.2-2.fc11.i586
>>
>> ipaserver2:
>> FC10
>> ipa-server-1.2.2-1.fc10.i386
> I am surprised you get back INVALID CREDENTIALS as an error when the KDC
> tries to log in using the data in ldappwd, given it works against the
> other server ...
>
> If you search with directory manager the accounts on both servers, do
> you get back an identical userPassword field ?
>
> Simo.
>
Yes, when I check the passwords are also identical.
More information about the Freeipa-users
mailing list