On Tue, Aug 15, 2017 at 10:23:25PM +0000, Bhavin Vaidya via FreeIPA-users wrote:
Hello,
We have Kerberos authentication failing on our replica server as well as client. We are
also not able to add any more client or replica server.
Master FreeIPA server ds01:/etc/krb5.keytab, we get multiple entries.
[root@ds01 log]# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
2 02/02/2015 19:33:04 host/ds01.domain.com(a)DOMAIN.COM
2 02/02/2015 19:33:04 host/ds01.domain.com(a)DOMAIN.COM
2 02/02/2015 19:33:04 host/ds01.domain.com(a)DOMAIN.COM
2 02/02/2015 19:33:04 host/ds01.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
5 06/21/2017 15:44:40 host/ds02.domain.com(a)DOMAIN.COM
2 08/07/2017 14:09:27 host/ds01.domain.com(a)DOMAIN.COM
2 08/07/2017 14:09:27 host/ds01.domain.com(a)DOMAIN.COM
2 08/07/2017 14:09:27 host/ds01.domain.com(a)DOMAIN.COM
2 08/07/2017 14:09:27 host/ds01.domain.com(a)DOMAIN.COM
We had someone else trying to help us and now we have this issue.
1. How can we remove newer entries?
2. can we reset the krb5.keytab and if yes what will be the implication on replicas
and client?
Are you sure that the keys with the different kvno are the reason? The
keys appear to have been created in June...
What exactly is failing with what log or error message?