DSfW: Principal has multiple entries in Kerberos database while getting initial credentials

Can not issue Kerberos Ticket for User

/opt/novell/xad/bin/kinit Administrator fails with: "kinit(v5): Principal has multiple entries in Kerberos database while getting initial credentials"

Do a ldapsearch to return all users with the userPrincipalName for the user in question.  The filter for userPrincipalName= should container the username@domainname.

or it can be a wild card for the domain

First export the LDAPCONF if it has not already been done, then perform the ldapsearch (/usr/bin/ldapsearch).  See TID 7003070 for more information on ldapsearch for DSfW.

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf

/usr/bin/ldapsearch -LLLQY EXTERNAL 'userPrincipalName=administrator*' dn userPrincipalName

Example returns:

There are two users with the same userPrincipalName.  Administrator and Administrator2.  The userPrincipalName for Administrator2 should be change to a unique name like Administrator2@dsfw.lan.

To search for multiple matching userPrincipalName values do the following ldapsearch

/usr/bin/ldapsearch -LLLQY EXTERNAL 'userprincipalname=*' userPrincipalName |grep -v dn: |sort |uniq -c |sort -n |grep -v "1 userPrincipalName:"

Example of a search for mupltiple userPrincipalName values:

      2 userPrincipalName: Administrator@dsfw.lan

      2 userPrincipalName: novlxregd@dsfw.lan

The eDirectory system created users like wwwrun, novlxregd, and nolxsrvd can usually be ignored.  Administrator and user3 will not be issued a kerberos ticket and will have problems authenticating with the userPrincipalName until the value is unique in the domain.