Hi Matthew, > Where should I start looking?
I would start by tailing the logs on the destination host while the user attempts to login with the account that isn't working. On an EL 7 host you can use 'journalctl -f', on EL 6 and older you can use 'tail -F /var/log/messages /var/log/secure'. Are you certain this was just a forgotten password (in other words, was the user ever able to login to this particular machine)? Do you use any HBAC rules in your environment? Regards, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project