[Freeipa-users] Unable to start the krb5kdc
Simo Sorce
ssorce at redhat.com
Fri Jan 28 13:28:03 UTC 2011
On Thu, 27 Jan 2011 19:20:02 -0500
James Roman <james.roman at ssaihq.com> wrote:
> On 1/27/11 12:58 PM, Simo Sorce wrote:
> > On Wed, 2011-01-26 at 13:59 -0500, James Roman wrote:
> >> So it looks like the replication password issue was a red herring
> >> as far as the kerberos is concerned. I issued the command
> >> "ipa-replica-manage synch ipaserver1.domain.com" from the working
> >> ldap replica and no longer get password expiration errors in the
> >> error logs. However, I still can not get the krb5kdc process on
> >> ipaserver1 to start when it uses the local (ldap://127.0.0.1/)
> >> LDAP database. If I perform an LDAP search of the kdc account
> >> using the Directory Manager account, both kdc entries are
> >> identical, so it does not seem to be the password for the KDC
> >> account that is preventing the krb5kdc service from starting.
> >> Could it be the service or host principals? Should I init from
> >> ipaserver2 -> ipaserver1 (Note: ipaserver1 is the winsync server)?
> >>
> >> ipaserver1:
> >> FC 11
> >> ipa-server-1.2.2-2.fc11.i586
> >>
> >> ipaserver2:
> >> FC10
> >> ipa-server-1.2.2-1.fc10.i386
> > I am surprised you get back INVALID CREDENTIALS as an error when
> > the KDC tries to log in using the data in ldappwd, given it works
> > against the other server ...
> >
> > If you search with directory manager the accounts on both servers,
> > do you get back an identical userPassword field ?
> >
> > Simo.
> >
> Yes, when I check the passwords are also identical.
Odd.
Have you ever played with DS password policies by chance ?
Can you search explicitly for the paswwordExpirationTime on both
uid=kdc accounts and see if it set by chance ?
You need to search explicitly for the attribute as it is not returned
by default.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list