[Freeipa-users] Replication not happening for user password changes even after increasing the nsslapd-sasl-max-buffers to 2M

[Auerbach, Steven]

A user contacted me today for a password reset.  I made the reset on the ipa-primary. The user opened a terminal session on an SSH Client to a server in the realm and logged in. They received the required immediate password change requirement and did so. They can log off and log back on that same server with their new password.  They attempted to open a terminal shell to another server in the realm. Their new password is not accepted.

Both servers the user is attempting to connect to have the nameserver resolution in the same order (resolv.conf).

On the ipa-primary their password expiration is 90 days from today.  On the ipa-replicant the password expiration is about 60 days out (I did this with them Jan 13th also but they lost their password.....). It has been an hour since the user logged on to the server and made their required change.

2 questions arise:
How to safely update replicant with the password change without changing the primary/replicant replationship order?
How to force the other server to refer to the ipa-primary to validate the password?

Thanks


Steven Auerbach
Systems Administrator
State University System of Florida
Board of Governors
325 West Gaines Street
Tallahassee, Florida 32399
(850) 245-9592 | Fax (850) 245-0419
steven.auerbach at flbog.edu | www.flbog.edu
[BOG-wordmark-wideFOR EMAIL-color]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150205/584d6cbb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 4047 bytes
Desc: image003.jpg
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150205/584d6cbb/attachment.jpg>