Tania Hagan via FreeIPA-users wrote:
Further troubleshooting.
If I run:
kinit -k -t /etc/dirsrv/ds.keytab ldap/ipa-unhealthly.ipa.server before the re-initialise
it complete successfully and a klist shows Default principal: ldap/unhealthly.ipa.server
After the LDAP error shows and the re-initialise is cancelled I see kinit: Generic error
(see e-text) while getting initial credentials.
In the healthy server if I look at /var/log/krb5kdc.log I see when the re-initialise in
progress:
TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20),
camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19),
camellia128-cts-cmac(25)}) 10.100.104.7: ISSUE: authtime 1714662555, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, ldap/healthy.ipa.server for ldap/unhealthy.ipa.server
On the healthy server I'd run: kvno ldap/unhealthy.ipa.server
On the unhealthy server: klist -kt /etc/dirrv/ds.keytab
Compare the version numbers. I'm guessing they are different.
rob