[Freeipa-users] Odd Password Issue Across the realm
Rob Crittenden
rcritten at redhat.com
Fri Jul 22 18:40:16 UTC 2016
Auerbach, Steven wrote:
> I don't think so. The sssd service is running on the client server. But it is configured with cache_credentials=true. I also notice a key ipa_server = _srv_, ipa02.<<domain>>.local. The thing is, that second name does was replaced a number of months ago by a server named ipa-r02.<<domain>>.local.
>
> Could either of these keys point to a problem?
Like I said, it sounds like it is offline. Given that one of the servers
doesn't exist makes this even more possible.
You need to check the SSSD logs. See
https://fedorahosted.org/sssd/wiki/Troubleshooting
You can try killing sssd with SIGUSR2 which will try to put it into
online mode (see man sssd).
rob
>
> Thanks.
>
>
> Steven Auerbach
> Systems Administrator
>
> State University System of Florida
> Board of Governors
> 325 West Gaines Street, Suite 1625C
> Tallahassee, Florida 32399
> (850) 245-9592
> steven.auerbach at flbog.edu | www.flbog.edu
>
>
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Thursday, July 21, 2016 6:24 PM
> To: Auerbach, Steven <Steven.Auerbach at flbog.edu>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Odd Password Issue Across the realm
>
> Auerbach, Steven wrote:
>> We have our IPA set up as master-master and we have about 25 clients
>> in realm (including the IPA servers themselves).
>>
>> We have a single user who changed his unexpired password using the
>> passwd command logged on to one of the registered clients.
>>
>> Thereafter, when he logs on to any of the client servers in the realm
>> with the exception of one, his new password is accepted. On only one
>> client server his new password is not accepted. That client server
>> will only let him in with a password that was in effect 2 password
>> changes in the past.
>>
>> I believe that there is no sync problem between the IPA Masters
>> because I changed the admin password on one of them (IPA Master)
>> yesterday and it was available immediately after a logout to sign on
>> as admin to the other master with the new password.
>>
>> Are we instructing users with the wrong command for changing an
>> unexpired password? If not, where would we turn to rectify this issue
>> that this one user has with the one IPA client server?
>
> I wonder if sssd on that client is in offline mode.
>
> rob
>
More information about the Freeipa-users
mailing list