Trouble with Replicas – no keytab file in /etc

I'm really struggling with this one now. I have my OD master in London with Kerberos working fine and nice clean log file relatively free of errors. I have 2 Replicas, one is a mail server on the local LAN the other is a file server based in our New York office. Our offices are connected via a Sonicwall VPN tunnel so we have two subnets: 192.168.1.1/24 192.1668.166.1/24 The replication to our mail server is all working ok. I just can't seem to get the replication to New York working. This was once all working ok until I upgraded our OD master to an Intel Xserve, and our various Asnate Network switches were replaced with a new HP Procurve switch. Initially I've been struggling getting the replication to work all. As I watch the replication process the bar moves to the end appears to finish and skips enabling password service and kerberos services. The OD settings then revert back to standalone. However, after a few attempts I get the replication process to finish with enabling password service and kerberos services. However, I am unable to get a Kerberos tickets and the /etc/krb5.keytab file is not present. If I run kadmin.local and then ktadd -global *, it will create the keytab file but I still can't get a ticket. The OD master setting read: ERROR: (See /var/run/openldap-slurp/replica/192..168.166.5:389.rej) which contains lots of erros like this one: ERROR: Type or value exists: modify/add: loginShell: value #0 already exists replica: 192.168.166.5:389 time: 1172592490.3 The slapconfig log on the replica looks like this: 007-03-01 06:54:07 -0500 - 10 Enabling local Kerberos server 2007-03-01 06:54:07 -0500 - command: /usr/sbin/kdcsetup -c /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 SERVER.DOMAIN.COM 2007-03-01 06:54:09 -0500 - kdcsetup command output: Contacting the Directory Server Authenticating to the Directory Server Creating Kerberos directory Creating KDC Config File {type = immutable, count = 1, values = ( 0 : {type = mutable, count = 0, capacity = 4, pairs = ( )} )} Adding KDC to launchd Adding the new KDC into the KerberosClient config record Finished 2007-03-01 06:54:09 -0500 - command: /usr/sbin/sso_util configure -r SERVER.DOMAIN.COM -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 all 2007-03-01 06:54:10 -0500 - sso_util command output: Contacting the directory server Creating the service list Creating the service principals kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface 2007-03-01 06:54:10 -0500 - sso_util command failed with status 2 2007-03-01 06:54:10 -0500 - command: /usr/sbin/sso_util configure -r SERVER.DOMAIN.COM -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 ldap 2007-03-01 06:54:10 -0500 - sso_util command output: Contacting the directory server Creating the service list Creating the service principals kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface 2007-03-01 06:54:10 -0500 - sso_util command failed with status 2 2007-03-01 06:54:10 -0500 - command: /sbin/kerberosautoconfig -u -v 1 2007-03-01 06:54:10 -0500 - command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1 The LDAP Error log on the replica looks like this: Mar 1 2007 06:24:12 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = /var/db/krb5kdc/KerbDumpFilerdFnP, status = 1 Mar 1 2007 06:24:19 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = /var/db/krb5kdc/KerbDumpFileWlxJN, status = 1 Mar 1 2007 06:24:19 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = -, status = 1 Mar 1 2007 06:24:19 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = -, status = 1 Mar 1 2007 06:24:19 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = -, status = 1 Also should I be able to see an open port when port scaning the server on ports 88 and 749? Any help would be really appreciated as I'm running out of ideas!!!