[Freeipa-users] krb5kdc will not start (kerberos authentication error)
Rob Crittenden
rcritten at redhat.com
Tue Nov 10 18:25:49 UTC 2015
Gronde, Christopher (Contractor) wrote:
> Is it possible to delete the mapping and try it and if it doesn't work or breaks something else add it back? How would I go about deleting this mapping? Or adding the mapping for principal name in the right order?
>
So what I'd do is this:
Do the same cn=mappping ldapsearch on the working master to see what the
differences are. Determine if this is an ordering problem or if there is
just extra gunk on this non-working master.
And compare the versions of 389-ds: rpm -q 389-ds-base. They should be
the same. If not then maybe one supports the new ordering and one doesn't.
Then:
1. Stop dirsrv
2. cp dse.ldif dse.ldif.mappings
3. edit dse.ldif to match your findings. Either re-order the entries or
remove ones you don't need (or both).
4. Start dirsrv
5. Start krb5kdc
Step 1 is super important because 389-ds writes dse.ldif on shutdown so
all changes made while the service is running will be lost.
You can also do this via ldapmodify but it is far easier and less error
prone to use your favorite editor in this case.
rob
More information about the Freeipa-users
mailing list