Auerbach, Steven wrote: > A user contacted me today for a password reset. I made the reset on the > ipa-primary. The user opened a terminal session on an SSH Client to a > server in the realm and logged in. They received the required immediate > password change requirement and did so. They can log off and log back on > that same server with their new password. They attempted to open a > terminal shell to another server in the realm. Their new password is not > accepted. > > > > Both servers the user is attempting to connect to have the nameserver > resolution in the same order (resolv.conf). > > > > On the ipa-primary their password expiration is 90 days from today. On > the ipa-replicant the password expiration is about 60 days out (I did > this with them Jan 13^th also but they lost their passwordÂ…..). It has > been an hour since the user logged on to the server and made their > required change. > > > > 2 questions arise: > > How to safely update replicant with the password change without changing > the primary/replicant replationship order? > > How to force the other server to refer to the ipa-primary to validate > the password?
It sounds like replication isn't working. On each master do this: $ ipa-replica-manage list -v `hostname` That will give you the replication status on both sides. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
