[Freeipa-users] keytab kvno differs between ipa servers
Petr Spacek
pspacek at redhat.com
Mon Nov 21 12:42:45 UTC 2016
On 21.11.2016 13:29, Bjarne Blichfeldt wrote:
> IPA: VERSION: 4.4.0, API_VERSION: 2.213
>
> This may be for lack of understanding the process, but..
>
> When I retrieve a keytab for a principal using ipa-getkeytab, the kvno is increased on the idm.
> In our test environment we have two ipa servers running and the kvno is only increased on one of them. After several retrivals, one principals kvno is now on 5 on ipa1 and 18 on ipa2.
>
> That means the resulting keytab is only usable on one ipa server and results in a "password expired" message from the other ipa server.
>
> How do I synchronize the two Kerberos servers and how do I avoid this?
This might be caused by broken replication between your IPA servers:
http://www.freeipa.org/page/Troubleshooting#Replication_issues
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list