DSfW: Principal has multiple entries in Kerberos database while getting initial credentials

  • 7015463
  • 01-Aug-2014
  • 01-Aug-2014

Environment

Novell Open Enterprise Server 11.2 (OES 11SP2)
Novell Open Enterprise Server 11.1 (OES 11SP1)
Domain Services for Windows
DSfW

Situation

kinit(v5): Principal has multiple entries in Kerberos database while getting initial credentials

Can not issue Kerberos Ticket for User

/opt/novell/xad/bin/kinit Administrator fails with: "kinit(v5): Principal has multiple entries in Kerberos database while getting initial credentials"

Resolution

Do a ldapsearch to return all users with the userPrincipalName for the user in question.  The filter for userPrincipalName= should container the username@domainname.
Example: Administrator@NOVELL.COM
or it can be a wild card for the domain
Example: Administrator@*

First export the LDAPCONF if it has not already been done, then perform the ldapsearch (/usr/bin/ldapsearch).  See TID 7003070 for more information on ldapsearch for DSfW.

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
/usr/bin/ldapsearch -LLLQY EXTERNAL 'userPrincipalName=administrator*' dn userPrincipalName

Example returns:
dn: cn=Administrator2,cn=Users,dc=dsfw,dc=lan
userPrincipalName: Administrator@dsfw.lan

dn: cn=Administrator,cn=Users,dc=dsfw,dc=lan
userPrincipalName: Administrator@dsfw.lan

There are two users with the same userPrincipalName.  Administrator and Administrator2.  The userPrincipalName for Administrator2 should be change to a unique name like Administrator2@dsfw.lan.

To search for multiple matching userPrincipalName values do the following ldapsearch
/usr/bin/ldapsearch -LLLQY EXTERNAL 'userprincipalname=*' userPrincipalName |grep -v dn: |sort |uniq -c |sort -n |grep -v "1 userPrincipalName:"

Example of a search for mupltiple userPrincipalName values:
      2 userPrincipalName: Administrator@dsfw.lan
      2 userPrincipalName: novlxregd@dsfw.lan
      2 userPrincipalName: novlxsrvd@dsfw.lan
      2 userPrincipalName: user3@dsfw.lan
      2 userPrincipalName: wwwrun@dsfw.lan

The eDirectory system created users like wwwrun, novlxregd, and nolxsrvd can usually be ignored.  Administrator and user3 will not be issued a kerberos ticket and will have problems authenticating with the userPrincipalName until the value is unique in the domain.

Cause

Multiple users with the same userPrincipalName value.  The userPrincipalName must be unique.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.