A user contacted me today for a password reset.  I made the reset on the 
ipa-primary. The user opened a terminal session on an SSH Client to a server in 
the realm and logged in. They received the required immediate password change 
requirement and did so. They can log off and log back on that same server with 
their new password.  They attempted to open a terminal shell to another server 
in the realm. Their new password is not accepted.

Both servers the user is attempting to connect to have the nameserver 
resolution in the same order (resolv.conf).

On the ipa-primary their password expiration is 90 days from today.  On the 
ipa-replicant the password expiration is about 60 days out (I did this with 
them Jan 13th also but they lost their password.....). It has been an hour 
since the user logged on to the server and made their required change.

2 questions arise:
How to safely update replicant with the password change without changing the 
primary/replicant replationship order?
How to force the other server to refer to the ipa-primary to validate the 


Steven Auerbach
Systems Administrator
State University System of Florida
Board of Governors
325 West Gaines Street
Tallahassee, Florida 32399
(850) 245-9592 | Fax (850) 245-0419
steven.auerb...@flbog.edu | www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to