DSfW: Principal has multiple entries in Kerberos database while getting initial credentials

  • 7015463
  • 01-Aug-2014
  • 01-Aug-2014


Novell Open Enterprise Server 11.2 (OES 11SP2)
Novell Open Enterprise Server 11.1 (OES 11SP1)
Domain Services for Windows


kinit(v5): Principal has multiple entries in Kerberos database while getting initial credentials

Can not issue Kerberos Ticket for User

/opt/novell/xad/bin/kinit Administrator fails with: "kinit(v5): Principal has multiple entries in Kerberos database while getting initial credentials"


Do a ldapsearch to return all users with the userPrincipalName for the user in question.  The filter for userPrincipalName= should container the username@domainname.
Example: Administrator@NOVELL.COM
or it can be a wild card for the domain
Example: Administrator@*

First export the LDAPCONF if it has not already been done, then perform the ldapsearch (/usr/bin/ldapsearch).  See TID 7003070 for more information on ldapsearch for DSfW.

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
/usr/bin/ldapsearch -LLLQY EXTERNAL 'userPrincipalName=administrator*' dn userPrincipalName

Example returns:
dn: cn=Administrator2,cn=Users,dc=dsfw,dc=lan
userPrincipalName: Administrator@dsfw.lan

dn: cn=Administrator,cn=Users,dc=dsfw,dc=lan
userPrincipalName: Administrator@dsfw.lan

There are two users with the same userPrincipalName.  Administrator and Administrator2.  The userPrincipalName for Administrator2 should be change to a unique name like Administrator2@dsfw.lan.

To search for multiple matching userPrincipalName values do the following ldapsearch
/usr/bin/ldapsearch -LLLQY EXTERNAL 'userprincipalname=*' userPrincipalName |grep -v dn: |sort |uniq -c |sort -n |grep -v "1 userPrincipalName:"

Example of a search for mupltiple userPrincipalName values:
      2 userPrincipalName: Administrator@dsfw.lan
      2 userPrincipalName: novlxregd@dsfw.lan
      2 userPrincipalName: novlxsrvd@dsfw.lan
      2 userPrincipalName: user3@dsfw.lan
      2 userPrincipalName: wwwrun@dsfw.lan

The eDirectory system created users like wwwrun, novlxregd, and nolxsrvd can usually be ignored.  Administrator and user3 will not be issued a kerberos ticket and will have problems authenticating with the userPrincipalName until the value is unique in the domain.


Multiple users with the same userPrincipalName value.  The userPrincipalName must be unique.