Hey all -
I'm having an issue whereby password resets for users don't appear to be working... fully. It's odd because, if, through the web interface, I click "Actions", and then "Reset Password", and set it to some temporary password, I can then login to an IPA client server with that password. That server then prompts me to reset the user's password - confirming, to me, that the password reset "signal" has indeed been sent to that server. I then do the password reset, and can then log into that AND OTHER client servers with that password, suggesting that the password reset has worked!
BUT. When I try to connect to that user via LDAP, using that same password, I get "Invalid credentials (49)". Further, if I try a `kinit $USER` from any of those CLIENT servers, and punch in the password, it seems fine! But whenever I try the SAME `kinit $user` command from the IPA servers, I get `kinit: Password incorrect while getting initial credentials`, which is... deeply troubling, to say the least.
What on Earth is going on?