On ma, 17 tammi 2022, Rob Crittenden via FreeIPA-users wrote:
> Ronald Wimmer via FreeIPA-users wrote:
>> On 13.01.22 09:29, Ronald Wimmer via FreeIPA-users wrote:
>>> Today the problem reappeared. I cannot login with the admin user. The
>>> error message I get is "The password or username you entered is
>>> incorrect". kinit also does not work.
>>>
>>> It seems that the password has changed somehow without user
>>> interaction.
>>>
>>> How can we debug this?
>>>
>>> Cheers,
>>> Ronald
>>
>> We could verify that the user is neither locked nor disabled. The
>> password has not changed since we reset it. There is no obvious reason
>> why the password is not accepted anymore.
>>
>> Whats strange is the fact that a particular IPA server says 'Failed
>> logins: 0' but shows a 'Last failed authentication' timestamp that
is
>> later than the 'Last successful authentication' timestamp.
>
> I suppose what I would do, as DM, is to take a snapshot of one of the
> broken entries, because you want the userPassword, krbPrincipalKey, etc.
> Then reset the password. If it breaks again compare the stored and new
> entry to see what, if anything, is different.
>
> Including things like logs for a failing kinit would be useful as well.
>
> For login failures, following the sssd troubleshooting guide to bump up
> the devel level.
I wonder if this is similar to
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
but can't confirm without krb5kdc logs.