On 21/03/2024 18.42, Rob Crittenden via FreeIPA-users wrote:
Schweiss, Chip via FreeIPA-users wrote:
> I'm building out a multisite installation. For unknown reasons, the
> 'admin' user password needs to be reset each time I join a new FreeIPA
> replica.
>
> It seems to happen a minute or two after the ipa-replica-install
> completes. Attempts to kinit immediately afterward usually works.
>
> Here's my ipa-replica install command I'm using:
>
> ipa-replica-install -n {domain} -r {realm} -d \
> --server={existing_ipa_server} \
> --setup-adtrust --add-agents --mkhomedir \
> --ntp-pool={my_ntp_pool} \
> -p $otp
>
> How do I track down the cause of this?
I don't know how this can happen and don't recall having see it before.
To track it down you'd need to enable the audit log in 389-ds on all
servers, including any newly created replica and wait for it to be
reset. That will show you at least what machine did so. The actual MOD
is probably not super interesting but who knows.
For the record, the "modifiersName" operational attribute is useless
here. It's always the ipa_pwd_extop plugin:
$ ldapsearch -Y GSSAPI -LLL -b
uid=admin,cn=users,cn=accounts,dc=ipahcc,dc=test modifiersName
SASL/GSSAPI authentication started
SASL username: admin(a)IPAHCC.TEST
SASL SSF: 256
SASL data security layer installed.
dn: uid=admin,cn=users,cn=accounts,dc=ipahcc,dc=test
modifiersName: cn=ipa_pwd_extop,cn=plugins,cn=config
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH,
https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill