A user contacted me today for a password reset. I made the reset on the
ipa-primary. The user opened a terminal session on an SSH Client to a server in
the realm and logged in. They received the required immediate password change
requirement and did so. They can log off and log back on that same server with
their new password. They attempted to open a terminal shell to another server
in the realm. Their new password is not accepted.
Both servers the user is attempting to connect to have the nameserver
resolution in the same order (resolv.conf).
On the ipa-primary their password expiration is 90 days from today. On the
ipa-replicant the password expiration is about 60 days out (I did this with
them Jan 13th also but they lost their password.....). It has been an hour
since the user logged on to the server and made their required change.
2 questions arise:
How to safely update replicant with the password change without changing the
primary/replicant replationship order?
How to force the other server to refer to the ipa-primary to validate the
State University System of Florida
Board of Governors
325 West Gaines Street
Tallahassee, Florida 32399
(850) 245-9592 | Fax (850) 245-0419
steven.auerb...@flbog.edu | www.flbog.edu
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project