[Freeipa-users] Replication not happening for user password changes even after increasing the nsslapd-sasl-max-buffers to 2M

[Rob Crittenden]

Auerbach, Steven wrote:
> A user contacted me today for a password reset.  I made the reset on the
> ipa-primary. The user opened a terminal session on an SSH Client to a
> server in the realm and logged in. They received the required immediate
> password change requirement and did so. They can log off and log back on
> that same server with their new password.  They attempted to open a
> terminal shell to another server in the realm. Their new password is not
> accepted.
> 
>  
> 
> Both servers the user is attempting to connect to have the nameserver
> resolution in the same order (resolv.conf).
> 
>  
> 
> On the ipa-primary their password expiration is 90 days from today.  On
> the ipa-replicant the password expiration is about 60 days out (I did
> this with them Jan 13^th also but they lost their password
..). It has
> been an hour since the user logged on to the server and made their
> required change.
> 
>  
> 
> 2 questions arise:
> 
> How to safely update replicant with the password change without changing
> the primary/replicant replationship order?
> 
> How to force the other server to refer to the ipa-primary to validate
> the password?

It sounds like replication isn't working. On each master do this:

$ ipa-replica-manage list -v `hostname`

That will give you the replication status on both sides.

rob