Auerbach, Steven wrote:
> A user contacted me today for a password reset. I made the reset on the
> ipa-primary. The user opened a terminal session on an SSH Client to a
> server in the realm and logged in. They received the required immediate
> password change requirement and did so. They can log off and log back on
> that same server with their new password. They attempted to open a
> terminal shell to another server in the realm. Their new password is not
> Both servers the user is attempting to connect to have the nameserver
> resolution in the same order (resolv.conf).
> On the ipa-primary their password expiration is 90 days from today. On
> the ipa-replicant the password expiration is about 60 days out (I did
> this with them Jan 13^th also but they lost their password
..). It has
> been an hour since the user logged on to the server and made their
> required change.
> 2 questions arise:
> How to safely update replicant with the password change without changing
> the primary/replicant replationship order?
> How to force the other server to refer to the ipa-primary to validate
> the password?
It sounds like replication isn't working. On each master do this:
$ ipa-replica-manage list -v `hostname`
That will give you the replication status on both sides.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project