Re: [Freeipa-users] Odd Password Issue Across the realm

[Rob Crittenden]

Auerbach, Steven wrote:

I don't think so.  The sssd service is running on the client server. But it is configured with 
cache_credentials=true.  I also notice a key ipa_server = _srv_, ipa02.<>.local.  
The thing is, that second name does was replaced a number of months ago by a server named 
ipa-r02.<>.local.

Could either of these keys point to a problem?


Like I said, it sounds like it is offline. Given that one of the servers 
doesn't exist makes this even more possible.


You need to check the SSSD logs. See 
https://fedorahosted.org/sssd/wiki/Troubleshooting


You can try killing sssd with SIGUSR2 which will try to put it into 
online mode (see man sssd).


rob



Thanks.


Steven Auerbach
Systems Administrator

State University System of Florida
Board of Governors
325 West Gaines Street, Suite 1625C
Tallahassee, Florida 32399
(850) 245-9592
steven.auerb...@flbog.edu | www.flbog.edu




-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Thursday, July 21, 2016 6:24 PM
To: Auerbach, Steven ; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Odd Password Issue Across the realm

Auerbach, Steven wrote:

We have our IPA set up as master-master and we have about 25 clients
in realm (including the IPA servers themselves).

We have a single user who changed his unexpired password using the
passwd command logged on to one of the registered clients.

Thereafter, when he logs on to any of the client servers in the realm
with the exception of one, his new password is accepted.  On only one
client server his new password is not accepted.  That client server
will only let him in with a password that was in effect 2 password
changes in the past.

I believe that there is no sync problem between the IPA Masters
because I changed the admin password on one of them (IPA Master)
yesterday and it was available immediately after a logout to sign on
as admin to the other master with the new password.

Are we instructing users with the wrong command for changing an
unexpired password?  If not, where would we turn to rectify this issue
that this one user has with the one IPA client server?


I wonder if sssd on that client is in offline mode.

rob



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Odd Password Issue Across the realm

[Rob Crittenden]

Auerbach, Steven wrote:

We have our IPA set up as master-master and we have about 25 clients in
realm (including the IPA servers themselves).

We have a single user who changed his unexpired password using the
passwd command logged on to one of the registered clients.

Thereafter, when he logs on to any of the client servers in the realm
with the exception of one, his new password is accepted.  On only one
client server his new password is not accepted.  That client server will
only let him in with a password that was in effect 2 password changes in
the past.

I believe that there is no sync problem between the IPA Masters because
I changed the admin password on one of them (IPA Master) yesterday and
it was available immediately after a logout to sign on as admin to the
other master with the new password.

Are we instructing users with the wrong command for changing an
unexpired password?  If not, where would we turn to rectify this issue
that this one user has with the one IPA client server?


I wonder if sssd on that client is in offline mode.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project