> Where should I start looking?
I would start by tailing the logs on the destination host while the user
attempts to login with the account that isn't working. On an EL 7 host you can
use 'journalctl -f', on EL 6 and older you can use 'tail -F /var/log/messages
Are you certain this was just a forgotten password (in other words, was the
user ever able to login to this particular machine)? Do you use any HBAC rules
in your environment?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project