Auerbach, Steven wrote:
I don't think so.  The sssd service is running on the client server. But it is configured with 
cache_credentials=true.  I also notice a key ipa_server = _srv_, ipa02.<<domain>>.local.  
The thing is, that second name does was replaced a number of months ago by a server named 

Could either of these keys point to a problem?

Like I said, it sounds like it is offline. Given that one of the servers doesn't exist makes this even more possible.

You need to check the SSSD logs. See

You can try killing sssd with SIGUSR2 which will try to put it into online mode (see man sssd).



Steven Auerbach
Systems Administrator

State University System of Florida
Board of Governors
325 West Gaines Street, Suite 1625C
Tallahassee, Florida 32399
(850) 245-9592 |

-----Original Message-----
From: Rob Crittenden []
Sent: Thursday, July 21, 2016 6:24 PM
To: Auerbach, Steven <>;
Subject: Re: [Freeipa-users] Odd Password Issue Across the realm

Auerbach, Steven wrote:
We have our IPA set up as master-master and we have about 25 clients
in realm (including the IPA servers themselves).

We have a single user who changed his unexpired password using the
passwd command logged on to one of the registered clients.

Thereafter, when he logs on to any of the client servers in the realm
with the exception of one, his new password is accepted.  On only one
client server his new password is not accepted.  That client server
will only let him in with a password that was in effect 2 password
changes in the past.

I believe that there is no sync problem between the IPA Masters
because I changed the admin password on one of them (IPA Master)
yesterday and it was available immediately after a logout to sign on
as admin to the other master with the new password.

Are we instructing users with the wrong command for changing an
unexpired password?  If not, where would we turn to rectify this issue
that this one user has with the one IPA client server?

I wonder if sssd on that client is in offline mode.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to